Imagine my surprise when one of the many email messages I received from Paypal today turns out to be legitimate! I received the following from “firstname.lastname@example.org”:
A bit hard to believe on the surface — and I admit that I viewed the source of the message, convinced it was yet another sneaky phishing scam — but it’s a legitimate message. Which absolutely begs the question…
Why on earth is Paypal sending out email telling me to click on a URL and log into my account? Worse, they’re not just asking me to validate my account information but also enter my date of birth and tax identification number (read “social security number”) on that page too!
I predict that it’ll take about 48 hours for phishers to take this very same email message, spoof the landing page, and not just collect Paypal account information but much more valuable and interesting data too, data that makes it incredibly easy to invade Paypal’s customer’s financial data records.
I like Paypal, don’t misunderstand me. I transact business through their system on a weekly basis and have enjoyed working with the company since before it merged with x.com. But in that entire time I have never seem such a daft move on their part. I mean, come on Paypal, what on earth were you thinking when you approved this email to customers?
Communicating With Customers in a Spammy World
This really makes me think about how spam and related email-based scams, cons and hustles have fundamentally changed how companies interact with their customers. From Wells Fargo to Schwab, Paypal to eBay, if it’s a site that requires a login for you to proceed, they can no longer safely send email to their customers. Ever.
And yet, scan your inbox (or your deleted mail archive) and I’ll bet that you are still getting email messages from sites like these, sites where it could be embarrassing, or worse, if someone else snuck into your account and played around for a few minutes.
How to deal with this problem? One solution that I’d love is if all of this junk email went away, if setting up and disseminating a phishing message was punishable by severe fines and jail time, and blatant spamming was cause to be permanently banned from the Internet. But that’s not going to happen, so the burden therefore must shift to online companies, for them to be cognizant of the risks and thoughtful in the execution of their customer communications strategy.
One simple approach: state in the very first line that “We never embed any URLs in our email. Simply go to our home page and log in.” and reiterate that on the initial signup page and each time the customer logs in to the site.
Or, in an ironically Luddite solution, make sure that you collect physical mailing addresses for customers and then mail out postcards or similar when there’s critical information to be collected or an important reason for them to log in to the site. Nothing online, nothing to be scammed.
I’m sure that there are plenty of other ways that companies can increase the credibility of their customer communications, and can, if necessary, send out email to customers in a way that instills confidence rather than triggering scam alarms. What would you suggest if you were counsel to Paypal?