ESET Threat Blog
Randy Abrams

PayPal Admits to Phishing Users

by Randy Abrams
December 3, 2009 at 9:58 am

Yes, it is true, I am not making this up. I do not believe that PayPal has stolen anything from users, but they have told me that their own email is phishing.

Here’s what happened. I sent them one of their own legitimate emails and told them it was a bad idea to include a link in it because it looks just like a phishing email. Again, this is a real, legitimate email from PayPal that I sent to them.

The response I got back was:

Hello Randy Abrams,

Thanks for forwarding that suspicious-looking email. You're right – it was a phishing attempt, and we're working on stopping the fraud. By reporting the problem, you've made a difference!

Identity thieves try to trick you into revealing your password or other personal information through phishing emails and fake websites. To learn more about online safety, click "Security Center" on any PayPal webpage.

Every email counts. When you forward suspicious-looking emails to spoof@paypal.com, you help keep yourself and others safe from identity theft.

Your account security is very important to us, so we appreciate your extra effort.

Thanks,

PayPal

That is why legitimate businesses should NEVER include links to log on pages, or most places. Not even PayPal support can tell the difference between a legitimate PayPal email and a phishing attack.

Randy Abrams
Director of Technical Education

.

This entry was posted on Thursday, December 3rd, 2009 at 9:58 am and is filed under Phishing, Randy Abrams. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

26 Responses to “PayPal Admits to Phishing Users”

  1. Heather McCalley Says:
    December 4th, 2009 at 7:31 am

    Clearly what you received was a canned response that they sent to you without reviewing the link you so helpfully submitted. While Paypal should reconsider the contents of the emails they send out, I believe that here they just erred on the side of trying to encourage more users to continue to send in suspicious emails. They should re-word their canned reply.

  2. George Huger Says:
    December 4th, 2009 at 8:47 am

    Randy, the email you received is an autogenerated response. You could forward an email that says "Happy Birthday" to and get the same response. I know because I forward phishing emails to Paypal all the time, and the response is always identical.
    Your headline implies a scandal which does not exist.
     

  3. James P Hogan Says:
    December 4th, 2009 at 9:22 am

    Remember earlier this year when NOD32 detected critical system files as Win32/Kryptik.JX and started deleting them after an update to the heuristics module?  It is true, I am not making this up.

    Mistakes happen.

  4. Gaby Says:
    December 4th, 2009 at 9:47 am

    Thank you very much, I really needed a laugh today!

  5. JK Says:
    December 4th, 2009 at 9:51 am

    Sounds like someone at Paypal might have simply sent you back a template-response. 

  6. Chris Says:
    December 4th, 2009 at 10:02 am

    Is it possible that this was just some kind of automated message that got sent out?

  7. nleep Says:
    December 4th, 2009 at 10:05 am

    perhaps their fraud reporting system is nothing but a script that searches for the words "ebay" and auto-responds with that message…

  8. Randy Abrams Says:
    December 4th, 2009 at 10:16 am

    The point is that if PayPal never sends a link in their email, all users can be assured that an email that appears to be from PayPal that includes a link is a phish. Let’s make anti-phishing education really easy!

  9. Randy Abrams Says:
    December 4th, 2009 at 10:17 am

    It is possible, but not an intelligent approach. I also replied back and asked how they could be so dumb and if there was a security person I could talk to and I received no automated reply

  10. Randy Abrams Says:
    December 4th, 2009 at 10:19 am

    Yes, all of us in the antivirus industry are well aware of our false positives, but we don’t false positive on our own files. We can control and recognize our own files, we cannot control the files that others create. PayPal cannot discern their own legitimate emails from a phish, but the real issue is that they should not be sending an email with a link to a log in page. They are teaching people to become phishing victims and that is not smart.

  11. Randy Abrams Says:
    December 4th, 2009 at 10:22 am

    No, it is not simply an automated response. I replied to their message and got no automated response to the reply. The point is that financial institutions should be security savvy enough by now not to send emails with links to log on pages. It is a scandal that PayPal, American Express, Chase, and many others are still teaching users to become phishing victims.

  12. Randy Abrams Says:
    December 4th, 2009 at 10:24 am

    PayPal’s error was sending an email with a link, especially with a link to a log on page. There are acutally banks that have come to realize it is a really ignorant practice and do not send links in their emails.

  13. D’s Opera blog Says:
    December 4th, 2009 at 10:45 am

    Haha. This is awesome. I can really understand the support person who would look at this and think it was spam.
     

  14. Randy Abrams Says:
    December 4th, 2009 at 10:48 am

    But they didn’t think it was spam, they thought it was phishing. There is a huge difference. They should be able to tell their own emails from a phish. The link in the email leads to the real paypal site!

  15. cloud9ine Says:
    December 4th, 2009 at 11:14 am

    Look up Alton lawyer accidentally sues himself.

  16. luke Says:
    December 4th, 2009 at 4:25 pm

    Wow,
    I am now _less_ intelligent for having read this

  17. Anand Srinivasan Says:
    December 4th, 2009 at 9:06 pm

    Any response that writes your full name in the salutation (Hello Randy Abrams) is automated..Thumb rule..

  18. Randy Abrams Says:
    December 5th, 2009 at 9:48 am

    Good rule of thumb, but last night I got a call from a nice person in the PayPal executive office. I was offered contact details and asked to have them sent to me in email. The email began “Dear , but it was not a form letter or an automated response. The reply about the phish was from an automated system, however the time interval between submission and “confirmation” lead me to be slightly less certain it was automated.

  19. Tim Says:
    December 7th, 2009 at 8:35 am

    It is true that sending links to people via email is a bit in the gray area. however, if you take away links, then you have taken away the power of the internet. If simply sending someone an email with a link in it is teaching users to be victims of phishing, then we as a community are not doing our jobs properly to train the less technically inclined. There are plenty of ways to validate that a link goes to a proper PayPal site. This is especially true if the page to which we’re forwarded is not a form page and doesn’t do any info-snatching (there isn’t much detail about the actual page in question).

  20. Randy Abrams Says:
    December 7th, 2009 at 11:23 am

    OK, taking links out of email does not take away the power of the internet, but I am not saying to take links out of all emails, only ones from specific organizations, especially as they relate to logging into an account. I don’t need a link to a transaction to check my PayPal transactions. I don’t need a link in email to check my LinkedIn messages, Myspace friends, and so on.

    It is far easier to teach people that if an email has a link to your PayPal account, assume it is a phish, but PayPal, and many other financial institutions need to change some practices. In reality, some banks already have discontinued the practice of sending links in their customer communications and that is a good thing!

  21. Evilbarney Says:
    January 13th, 2010 at 1:05 pm

    /facepalm
    It was an auto-response dude..

  22. Dav Says:
    February 21st, 2010 at 9:42 pm

    or even better, stop using paypal… one CAN survive without a worthless business that can't tell their head from a hole in the ground… eBay has gone downhill, is it any surprise that PayPal would also after being purchased by eBay?

  23. Corinna Says:
    January 18th, 2011 at 10:21 am

    Can anyone tell me if someone wants to buy stuff from you and send you money through paypal, after shipped the product to the buyer, can the buyer take back the money from paypal and end up you never get paid.

  24. Randy Abrams Says:
    January 19th, 2011 at 4:19 pm

    In some cases this could happen. Yes.

  25. Sherry Rumby Says:
    October 22nd, 2011 at 2:49 pm

    My email is protected by eset, and I cannot receive email from paypal. this is distressing to me as they have been giving me good service for years, and I also like ebay.
     

  26. David Harley Says:
    October 24th, 2011 at 3:00 am

    Sherry, are you saying you have an issue with email blocking that is ESET-related? Unfortunately, we’re not in a position to do product support via the blog: you need to go through the Support tab on the main ESET site.

Leave a Reply

Share |
Subscribe by Email
To receive new posts automatically through email, enter your email address:

Delivered by FeedBurner

Blog Search
Categories
Authors
Tags
Adobe autorun Botnet Conficker Cybercrime Facebook google Malware Microsoft patch Phishing privacy SC Magazine Security Social Engineering Spam Stuxnet The Register Twitter Virus Bulletin
Archives

Switch to our mobile site