PayPal Admits to Phishing Users

Phishing

26

Yes, it is true, I am not making this up. I do not believe that PayPal has stolen anything from users, but they have told me that their own email is phishing.

Here’s what happened. I sent them one of their own legitimate emails and told them it was a bad idea to include a link in it because it looks just like a phishing email. Again, this is a real, legitimate email from PayPal that I sent to them.

The response I got back was:

Hello Randy Abrams,

Thanks for forwarding that suspicious-looking email. You're right – it was a phishing attempt, and we're working on stopping the fraud. By reporting the problem, you've made a difference!

Identity thieves try to trick you into revealing your password or other personal information through phishing emails and fake websites. To learn more about online safety, click "Security Center" on any PayPal webpage.

Every email counts. When you forward suspicious-looking emails to spoof@paypal.com, you help keep yourself and others safe from identity theft.

Your account security is very important to us, so we appreciate your extra effort.

Thanks,

PayPal

That is why legitimate businesses should NEVER include links to log on pages, or most places. Not even PayPal support can tell the difference between a legitimate PayPal email and a phishing attack.

Randy Abrams
Director of Technical Education

Author ESET Research, ESET

  • Heather McCalley

    Clearly what you received was a canned response that they sent to you without reviewing the link you so helpfully submitted. While Paypal should reconsider the contents of the emails they send out, I believe that here they just erred on the side of trying to encourage more users to continue to send in suspicious emails. They should re-word their canned reply.

    • Randy Abrams

      PayPal’s error was sending an email with a link, especially with a link to a log on page. There are acutally banks that have come to realize it is a really ignorant practice and do not send links in their emails.

  • http://illuminatikarate.com George Huger

    Randy, the email you received is an autogenerated response. You could forward an email that says "Happy Birthday" to spoof@paypal.com and get the same response. I know because I forward phishing emails to Paypal all the time, and the response is always identical.
    Your headline implies a scandal which does not exist.
     

    • Randy Abrams

      No, it is not simply an automated response. I replied to their message and got no automated response to the reply. The point is that financial institutions should be security savvy enough by now not to send emails with links to log on pages. It is a scandal that PayPal, American Express, Chase, and many others are still teaching users to become phishing victims.

  • James P Hogan

    Remember earlier this year when NOD32 detected critical system files as Win32/Kryptik.JX and started deleting them after an update to the heuristics module?  It is true, I am not making this up.

    Mistakes happen.

    • Randy Abrams

      Yes, all of us in the antivirus industry are well aware of our false positives, but we don’t false positive on our own files. We can control and recognize our own files, we cannot control the files that others create. PayPal cannot discern their own legitimate emails from a phish, but the real issue is that they should not be sending an email with a link to a log in page. They are teaching people to become phishing victims and that is not smart.

  • Gaby

    Thank you very much, I really needed a laugh today!

  • JK

    Sounds like someone at Paypal might have simply sent you back a template-response. 

  • Chris

    Is it possible that this was just some kind of automated message that got sent out?

    • Randy Abrams

      It is possible, but not an intelligent approach. I also replied back and asked how they could be so dumb and if there was a security person I could talk to and I received no automated reply

  • nleep

    perhaps their fraud reporting system is nothing but a script that searches for the words "ebay" and auto-responds with that message…

    • Randy Abrams

      The point is that if PayPal never sends a link in their email, all users can be assured that an email that appears to be from PayPal that includes a link is a phish. Let’s make anti-phishing education really easy!

  • http://my.opera.com/danaleks/blog/ D’s Opera blog

    Haha. This is awesome. I can really understand the support person who would look at this and think it was spam.
     
    http://my.opera.com/danaleks/blog/2009/11/03/faking-a-message-from-your-bank

    • Randy Abrams

      But they didn’t think it was spam, they thought it was phishing. There is a huge difference. They should be able to tell their own emails from a phish. The link in the email leads to the real paypal site!

  • cloud9ine

    Look up Alton lawyer accidentally sues himself.

  • luke

    Wow,
    I am now _less_ intelligent for having read this

  • http://techcrunchies.com Anand Srinivasan

    Any response that writes your full name in the salutation (Hello Randy Abrams) is automated..Thumb rule..

    • Randy Abrams

      Good rule of thumb, but last night I got a call from a nice person in the PayPal executive office. I was offered contact details and asked to have them sent to me in email. The email began “Dear , but it was not a form letter or an automated response. The reply about the phish was from an automated system, however the time interval between submission and “confirmation” lead me to be slightly less certain it was automated.

  • Tim

    It is true that sending links to people via email is a bit in the gray area. however, if you take away links, then you have taken away the power of the internet. If simply sending someone an email with a link in it is teaching users to be victims of phishing, then we as a community are not doing our jobs properly to train the less technically inclined. There are plenty of ways to validate that a link goes to a proper PayPal site. This is especially true if the page to which we’re forwarded is not a form page and doesn’t do any info-snatching (there isn’t much detail about the actual page in question).

    • Randy Abrams

      OK, taking links out of email does not take away the power of the internet, but I am not saying to take links out of all emails, only ones from specific organizations, especially as they relate to logging into an account. I don’t need a link to a transaction to check my PayPal transactions. I don’t need a link in email to check my LinkedIn messages, Myspace friends, and so on.

      It is far easier to teach people that if an email has a link to your PayPal account, assume it is a phish, but PayPal, and many other financial institutions need to change some practices. In reality, some banks already have discontinued the practice of sending links in their customer communications and that is a good thing!

  • Evilbarney

    /facepalm
    It was an auto-response dude..

  • Dav

    or even better, stop using paypal… one CAN survive without a worthless business that can't tell their head from a hole in the ground… eBay has gone downhill, is it any surprise that PayPal would also after being purchased by eBay?

  • Corinna

    Can anyone tell me if someone wants to buy stuff from you and send you money through paypal, after shipped the product to the buyer, can the buyer take back the money from paypal and end up you never get paid.

    • Randy Abrams

      In some cases this could happen. Yes.

  • Sherry Rumby

    My email is protected by eset, and I cannot receive email from paypal. this is distressing to me as they have been giving me good service for years, and I also like ebay.
     

    • David Harley

      Sherry, are you saying you have an issue with email blocking that is ESET-related? Unfortunately, we’re not in a position to do product support via the blog: you need to go through the Support tab on the main ESET site.

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.