Saturday, December 5, 2009
PayPal Admits to Phishing Its Own Users
Categories: E-Commerce, E-Mail, Identity, Phish, Top Threat
Tags:fraud, paypal, phish
Actually, the headline is a teeny bit misleading, even if it's true, strictly speaking.
Randy Abrams of ESET, a security software company, received an e-mail from PayPal that included a link in it. This is bad practice, especially from a big phishing target like PayPal, so Abrams sent it back to PayPal with an explanation of what was wrong with it.
The response he got from PayPal stated (in part—see the ESET blog for the full response):Thanks for forwarding that suspicious-looking email. You're right—it was a phishing attempt, and we're working on stopping the fraud. By reporting the problem, you've made a difference!.
Obviously this is a canned response and of course PayPal doesn't have humans looking at every such submitted e-mail, and so their automated analysis system mistook the e-mail for a phishing attempt.
As Abrams concludes:
That is why legitimate businesses should NEVER include links to log on pages, or most places. Not even PayPal support can tell the difference between a legitimate PayPal email and a phishing attack.