Over on my Ask Dave Taylor blog, I have an area where people can ask questions and, if they’re dying for an answer, pay for a “priority answer”. In practice, it’s a $99 payment via PayPal to ensure that I’ll respond within 24-48 hours or their money cheerfully refunded.
This afternoon, however, someone ostensibly came to the site, submitted a question, paid the fee and then about twenty minutes later filed an “unauthorized transaction” report with PayPal, which froze the transaction. The notice I received said “Recently, PayPal received a notification from a user regarding unauthorized access to his PayPal account. As a result, one of the payments credited to your PayPal account has been placed in a temporary hold while we investigate the claim.”
Problem was, it was almost impossible for me to tell if it was real or a savvy phishing attempt.
The email looked legitimate enough, frankly:
An unauthorized account activity claim was recently filed against the following transaction:
Transaction Date: May 15, 2007
Transaction Amount: -$99.00 USD
Your Transaction ID: 1UW9381H98351U
Buyer’s Transaction ID: 5UU7612412542N
Case Number: PP-235-381-308
Buyer’s Name: [blocked] Buyer’s Email: [blocked] To complete our investigation, you must provide additional information within the next seven days. Please log in to your PayPal account at https://www.paypal.com and go to the Resolution Center to view the details of this case. You will have the opportunity to enter any details or information regarding this case which will help PayPal investigate the matter fully.
Maybe it’s just me, but any time I see a link in any sort of email message nowadays, I’m instantly skeptical. In fact, I closely read the message to see if there was some game where I’d click on what I thought was the PayPal link, just to be whisked to a site where they were trying to harvest my PayPal account information.
Apparently it was legit because when I typed paypal.com into my browser address bar and logged in to my PayPal account, there was indeed a problem indicated, though a quick visit to the resolution center resolved it (I refunded him the $99 transaction, simple enough).
Further investigation on my part revealed that there was no logged question from either the person’s name or email address, so someone clearly was playing games (though they must have had his PayPal account password, so if I were him, I would be taking a very, very close look at all my transactions!) so I’m sure it was indeed some sort of spoof or practical joke and am glad it was so easy to resolve.
Nonetheless, it does amaze me in this day and age that smart companies like PayPal send out messages that include fully qualified URLs. It’s just an invitation for phishers to model their own messages after these, but to mask page addresses with tricks like:
When you view that link in a formatted email message, it looks quite legit and there’s really nothing to warn you that it might not be in your best interest to proceed, especially if the phisher has done his homework and perfectly emulated the login page of PayPal or whatever other site is the target for harvesting account information.
Instead, PayPal, eBay, Amazon, MySpace and all the other popular sites with desirable (to hackers) accounts should have a clear, written policy that they will never send out email with any clickable links. No questions asked. If they need to communicate with you, the customer, they can do so via email, but the email should say:
“To resolve this issue, please type “paypal.com” into your Web browser and log in to your account. (We don’t give you a clickable link for your own security and safety).”
Wouldn’t that be cool? Do you know of any big companies that are doing just that in their email communications?