The problem with phishing: is that email real?

Over on my Ask Dave Taylor blog, I have an area where people can ask questions and, if they’re dying for an answer, pay for a “priority answer”. In practice, it’s a $99 payment via PayPal to ensure that I’ll respond within 24-48 hours or their money cheerfully refunded.
This afternoon, however, someone ostensibly came to the site, submitted a question, paid the fee and then about twenty minutes later filed an “unauthorized transaction” report with PayPal, which froze the transaction. The notice I received said “Recently, PayPal received a notification from a user regarding unauthorized access to his PayPal account. As a result, one of the payments credited to your PayPal account has been placed in a temporary hold while we investigate the claim.”
Problem was, it was almost impossible for me to tell if it was real or a savvy phishing attempt.


The email looked legitimate enough, frankly:


An unauthorized account activity claim was recently filed against the following transaction:
Transaction Date: May 15, 2007
Transaction Amount: -$99.00 USD
Your Transaction ID: 1UW9381H98351U
Buyer’s Transaction ID: 5UU7612412542N
Case Number: PP-235-381-308
Buyer’s Name: [blocked] Buyer’s Email: [blocked] To complete our investigation, you must provide additional information within the next seven days. Please log in to your PayPal account at https://www.paypal.com and go to the Resolution Center to view the details of this case. You will have the opportunity to enter any details or information regarding this case which will help PayPal investigate the matter fully.


Maybe it’s just me, but any time I see a link in any sort of email message nowadays, I’m instantly skeptical. In fact, I closely read the message to see if there was some game where I’d click on what I thought was the PayPal link, just to be whisked to a site where they were trying to harvest my PayPal account information.
Apparently it was legit because when I typed paypal.com into my browser address bar and logged in to my PayPal account, there was indeed a problem indicated, though a quick visit to the resolution center resolved it (I refunded him the $99 transaction, simple enough).
Further investigation on my part revealed that there was no logged question from either the person’s name or email address, so someone clearly was playing games (though they must have had his PayPal account password, so if I were him, I would be taking a very, very close look at all my transactions!) so I’m sure it was indeed some sort of spoof or practical joke and am glad it was so easy to resolve.
Nonetheless, it does amaze me in this day and age that smart companies like PayPal send out messages that include fully qualified URLs. It’s just an invitation for phishers to model their own messages after these, but to mask page addresses with tricks like:
        <a href="http://www.phishersite.hack/">https://www.paypal.com/</a>
When you view that link in a formatted email message, it looks quite legit and there’s really nothing to warn you that it might not be in your best interest to proceed, especially if the phisher has done his homework and perfectly emulated the login page of PayPal or whatever other site is the target for harvesting account information.
Instead, PayPal, eBay, Amazon, MySpace and all the other popular sites with desirable (to hackers) accounts should have a clear, written policy that they will never send out email with any clickable links. No questions asked. If they need to communicate with you, the customer, they can do so via email, but the email should say:

“To resolve this issue, please type “paypal.com” into your Web browser and log in to your account. (We don’t give you a clickable link for your own security and safety).”

Wouldn’t that be cool? Do you know of any big companies that are doing just that in their email communications?

4 comments on “The problem with phishing: is that email real?

  1. I don’t know of any big companies that provide non-clickable link instructions in their emails to customers. But like you, I wish they would. I get fake emails from thieves claiming to be PayPal at least once a month. Each time I forward the email to the real PayPal’s fraud center. I wonder if that’s the only way they are able to track down scam artists.
    I get nervous every time I get an email showing Amazon, my car insurance company, or my bank in the “sent from” field. I’ve had my identity stolen three times over the years with thousands of dollars charged to my credit cards. I always tell myself that I’ll start paying with cash, but honestly the banks make it so easy to feel worry-free about this stuff. They refund my money with few questions asked, so I keep using my cards for everything.
    But with internet scams being supposedly such a big issue, you would think that these big companies with lots of money, with access to the best security resources, and with the smartest people, would at least be savvy enough to not put clickable links in their emails.
    -RY

  2. I’ve gotten to the point where I don’t believe any of those emails I get. I got an email from Google once about an open position. I looked at the email for about five minutes, looked at the headers, and scratched my head before I finally convinced myself that it actually was real. Someone else said that their email from Google (for the same position) had ended up in the spam box of their Hotmail account.

  3. Etsy.com is doing exactly what you talk about. Their policy is to never send you an email with hyperlinks. I just saw it a week ago and thought it was interesting… I am usually skeptical about clicking links in emails, but I figure as long as you check the url in your web browser before proceeding it isn’t a big deal… worst case there’s some script that confirms you read the email… but on the other hand, asking me to visit the site manually is fine too.

  4. I’ve received an e-mail similar to the one you describe, Dave. It came about because someone’s PayPal debit card was stolen and the thief was running up their bill.
    Unfortunately, the e-mail was unformatted and it was my e-mail client which made the link active. (Sometimes it’s important to look at the software one uses as opposed to laying the burden solely on the large companies.)
    The good news is that e-mail clients and browsers are beginning to get smarter. Thunderbird now marks e-mails it considers a phishing attempt as so and Firefox will throw up an alert letting you know that the site may not be legit if you actually click the link. If I’m not mistaken, IE7 also has a similar feature built in as well.
    Another trick that I use for an exclusively PayPal only e-mail address is simply to route *all* mail that doesn’t come from a PayPal web server to the trash bin automatically. The only e-mails that land in the inbox come directly from PayPal.
    ~ Teli

Leave a Reply

Your email address will not be published. Required fields are marked *