Is it real, or is it a phishing scam? That's a question that seems to get harder and harder to answer for sure with each new message in one's inbox. And an e-mail I got from PayPal this morning that was supposed to make it a little easier actually left me more uncertain than ever.
When the message from paypal@email.paypal.com with the subject line "Spot spoof, protect your identity and more..." showed up in my inbox, my first impulse was just to delete it as another fake from a spammer/scammer pretending to be from PayPal. But wait -- I saw it was addressed to me by the name that's on my PayPal account, which is supposed to be a good sign that it's authentic. And it wasn't asking me for my passwords or other account information -- in fact, it was just offering links to various PayPal pages about its "Identity Protection" education campaign. Surely phishing scammers wouldn't be doing do that.
Or would they? In tandem with its adopted parent company eBay, PayPal has to be the all-time favorite target for identity thieves to imitate, so it's best not to underestimate how sophisticated a scam impersonating them might be. And all those links in the e-mail looked rather suspicious in the status bar when I moved the cursor over them. An "http://email1.paypal" subdomain was followed by a long string of random characters of the type you see all the time in phishing scams -- it could easily be phony. And if PayPal was just trying to provide links to pages with security tips, why not just spell out the real URLs?
One way to have been more certain if the e-mail really was from PayPal would be to click on one of those insecure-looking links and see if it would take me to a PayPal SSL page anyway. But clicking on suspicious links is never a good idea, so I wrote spoof@paypal.com and asked them about the message. When I hadn't gotten an answer an hour later, I decided it was my journalistic duty to call PayPal PR and ask them about the message.
The upshot is, yes, the "Spot spoof" e-mail really is from PayPal. "The links are to safe pages that only provide our customers with educational information about protecting their identity," the PayPal spokesperson said. Since the links can't be made forge-proof, PayPal considered eliminating links altogether from e-mails to customers, but has found that's not what its customers want. "This is still the preferred way for consumers to get information from us that can be useful to them." And a little while ago I got a response from spoof@paypal.com telling me I should change my e-mail notification preferences if I don't want to get such messages, which I guess is a backhanded way of confirming that it was authentically from PayPal.
OK, call me paranoid. Nonetheless, the fact of the matter is that any phishing scam artist who wanted to do so could forge the identical message I received. So isn't PayPal saying we're supposed to judge whether a possible phishing scam came from them by its apparent intent? PayPal did give me an education today in protecting my identity, but I doubt it's the lesson they intended to teach.
Read and post comments about this story here.
10:12:40 PM 
|
