Paypal’s Unintended Contribution To the Phishing Problem
Written by Sue Walsh on February 21, 2013
It’s one of the most basic rules of email security. Don’t ever click on a link sent in an email from a company. Go directly to the site instead. This adds a layer of protection against malicious redirects and phishing attacks. Most major financial institutes warn against clicking such links and don’t send them. Then there’s Paypal. It’s the most used payment service in the world and also once of the most commonly brandjacked in phishing attacks. You’d think they’d be one of the loudest voices in the chorus about fighting scammers, but think again. For some unbelievable reason, they send tons of emails with links to the site. Just a few days ago I got one telling me I had received a cash back award for using my debit card, a notice that I’d sent an automatic payment to a service I subscribe to, and an “account statement”. All of them invited me to click a link to log in and get more info! They are doing the same thing phishers and spammers do.
This is extremely dangerous. These days it’s getting more and more difficult to detect phishing emails. The spammers are producing messages that look surprisingly legit and minus the broken English and spelling errors that used to be big red flags. In some cases the only thing that differentiates Paypal’s messages from phishing emails is the fact the phishing emails use the generic “Dear Paypal User” rather than the user’s registered name. Not smart at all. By doing this they are getting users used to expecting links in Paypal emails and that could be disastrous.
Do you think Paypal is being irresponsible? Why or why not?
Loading ...
I do think PayPal are underestimating the problem. I myself got two of these this week to two different email addresses, one of which I don’t use for PayPal and this rang the bell something is fishy. PayPal would make a major contribution to fighting phishing, if they stop including links in their emails. Links might be time saving but with the huge risks that come with them, usability comes second.
I am having a lot of issues with LinkedIn lately. That’s why I decided to just avoid logging in there, including adding certain people in my network. It actually stemmed when I started receiving spam links straight to my mail. They weren’t as harmful as the others, but they also really looked very suspicious. I am sane enough not to provide them any of my personal information, yet I am scared that by simply clicking the link, I am planting malware into my PC. In other words, my personal information is still vulnerable to scammers.
Perhaps at first it was completely unintended. But if the social network continues to not do anything about it, then it becomes a violation and a crime that should be corrected immediately. Otherwise, I would not be afraid to persecute LinkedIn and tell my friends not to sign up anymore into the network. If they are already members, then we will all together pull out our accounts or deactivate them. I will encourage them to tell their friends to do the same. I am this dead serious to correct the system.
I am not so sure about the relationship between PayPal and LinkedIn. The story is based on the former. Aren’t the two commenters paying attention? Anyway, yes, PayPal is one of the most brand-jacked websites for a couple of years now, and we all know why. The money is basically there. Though it’s very hard to open an account and have it verified, once you are already in the system, it’s not a hassle to withdraw and transfer money between accounts. As long as the account is tied to an account or you can verify your own, then you’re good to go.
I don’t like the tone of this article. It’s like it’s blaming PayPal for the issue, even if it added the word “unintended” into the mix. Why can’t we just point our fingers to those spammers? I think no matter how secure the webmaster wants their site to be, spammers will always find a way to beat it at some point. It’s just how they operate and definitely earn some money. PayPal has one of the best security options I have ever seen, and websites have taken steps to prevent fraud.
Adolph, try to take things in a more open perspective. The writer wasn’t blaming PayPal for anything at all. In fact, I’d like to call it a wakeup call because what he was saying is actually true. I am an active user in PayPal, and there are times when I would receive more e-mails than I expect them to send me, and most of them contain links. Once the user becomes more used to receiving links and clicking them, he may now have a hard time distinguishing a phishing and a real e-mail from PayPal.
I think I will have to say that Paypal may have had positive intentions at the beginning. Maybe their initial idea was to attach the link so that their users will find it more convenient – so that they will simply click the attached link instead of opening a new tab or a new page. But I don’t click the links myself. I get them almost every month when I collect my pay through Paypal. I don’t know, maybe I’m just being too cautious. It doesn’t hurt to do so, though, especially nowadays when phishing is already quite normal for some.