Yes, it is true, I am not making this up. I do not believe that PayPal has stolen anything from users, but they have told me that their own email is phishing.
Here’s what happened. I sent them one of their own legitimate emails and told them it was a bad idea to include a link in it because it looks just like a phishing email. Again, this is a real, legitimate email from PayPal that I sent to them.
The response I got back was:
Hello Randy Abrams,
Thanks for forwarding that suspicious-looking email. You're right – it was a phishing attempt, and we're working on stopping the fraud. By reporting the problem, you've made a difference!
Identity thieves try to trick you into revealing your password or other personal information through phishing emails and fake websites. To learn more about online safety, click "Security Center" on any PayPal webpage.
Every email counts. When you forward suspicious-looking emails to firstname.lastname@example.org, you help keep yourself and others safe from identity theft.
Your account security is very important to us, so we appreciate your extra effort.
That is why legitimate businesses should NEVER include links to log on pages, or most places. Not even PayPal support can tell the difference between a legitimate PayPal email and a phishing attack.
Director of Technical Education
Author ESET Research, ESET