Paypal is phishing target #1, but they still email their customers?

Imagine my surprise when one of the many email messages I received from Paypal today turns out to be legitimate! I received the following from “service@paypal.com”:

Pursuant to section 326 of the USA PATRIOT Act, the U.S. Department of the
Treasury and the Securities and Exchange Commission require PayPal Funds to
obtain, verify, and record the following information for each investor in
the PayPal Money Market Fund.

A bit hard to believe on the surface — and I admit that I viewed the source of the message, convinced it was yet another sneaky phishing scam — but it’s a legitimate message. Which absolutely begs the question…

Why on earth is Paypal sending out email telling me to click on a URL and log into my account? Worse, they’re not just asking me to validate my account information but also enter my date of birth and tax identification number (read “social security number”) on that page too!

I predict that it’ll take about 48 hours for phishers to take this very same email message, spoof the landing page, and not just collect Paypal account information but much more valuable and interesting data too, data that makes it incredibly easy to invade Paypal’s customer’s financial data records.

I like Paypal, don’t misunderstand me. I transact business through their system on a weekly basis and have enjoyed working with the company since before it merged with x.com. But in that entire time I have never seem such a daft move on their part. I mean, come on Paypal, what on earth were you thinking when you approved this email to customers?

Communicating With Customers in a Spammy World

This really makes me think about how spam and related email-based scams, cons and hustles have fundamentally changed how companies interact with their customers. From Wells Fargo to Schwab, Paypal to eBay, if it’s a site that requires a login for you to proceed, they can no longer safely send email to their customers. Ever.

And yet, scan your inbox (or your deleted mail archive) and I’ll bet that you are still getting email messages from sites like these, sites where it could be embarrassing, or worse, if someone else snuck into your account and played around for a few minutes.

How to deal with this problem? One solution that I’d love is if all of this junk email went away, if setting up and disseminating a phishing message was punishable by severe fines and jail time, and blatant spamming was cause to be permanently banned from the Internet. But that’s not going to happen, so the burden therefore must shift to online companies, for them to be cognizant of the risks and thoughtful in the execution of their customer communications strategy.

One simple approach: state in the very first line that “We never embed any URLs in our email. Simply go to our home page and log in.” and reiterate that on the initial signup page and each time the customer logs in to the site.

Or, in an ironically Luddite solution, make sure that you collect physical mailing addresses for customers and then mail out postcards or similar when there’s critical information to be collected or an important reason for them to log in to the site. Nothing online, nothing to be scammed.

I’m sure that there are plenty of other ways that companies can increase the credibility of their customer communications, and can, if necessary, send out email to customers in a way that instills confidence rather than triggering scam alarms. What would you suggest if you were counsel to Paypal?

3 comments on “Paypal is phishing target #1, but they still email their customers?

  1. I’d have immediately trashed it without reading or checking it out. Whenever I see *any* email from a financial firm asking me to verify anything, I delete it. If I think there’s a remote chance it may be legit, I’ll go to the site and log on outside of the email link (much like you mentioned).
    Very stupid move on Paypal’s part…

  2. I recommend that no one ever do any shopping, banking, investing, or any other sensitive transaction online.
    Besides phishing for funds transfers, there is also identity theft.
    Never give any bank, hospital, insurance company, real estate firm, investment fund, or other financial firm your email address. That way, you automatically know any email from them is false.
    I say PayPal should sent certified mail or similar, to notify customers to visit their web site. But is info from you to the web site sufficiently encrypted?
    Do you use encrypted email signatures?
    I’m getting a lot of phishing spam, with subject lines like “We need your updated info (acct# 7253887659)” or “RE: Your Code #4J989WQ” or “Pre-Approved Application #VBH2924-454R” etc.
    There are typos and bad grammar in subject lines also.
    I delete without opening them.
    I hear there is a new phishing scam, where people are getting emails supposedly from the FBI telling them they visited some illegal web sites, or they illegally visited some web sites with proper authorization, and they must go to an “FBI web site” to provide info and learn what fines they must pay.
    To scare people and get them to provide sensitive information.
    And I’ve gotten lots of phish emails “seemingly from” PayPal, eBay, Amazon.com, and Washington Mutual, when it’s crazy, because I have no accounts at any of these services.

  3. I’ve been a PayPal member for years, and I have never received that odd “USA PATRIOT ACT” email. Are you certain it was legit? Maybe you were tricked into believing it was a genuine PayPal email. Remember, that PayPal will always address you by your real name in the greeting line (“Dear Jane Smith”, rather than just say “Dear PayPal Customer.” And they are quite aware of the problem of clicking on links, so they don’t ask you to click on a URL link…they advise you to copy and paste it into your browser. Sounds like a scam email to me.

Leave a Reply

Your email address will not be published.