How PayPal is perpetuating the phishing problem

Phishing has been a problem for years, with ne’er-do-wells sending emails stuffed with links to lure you into typing passwords into their mocked-up sites resembling your bank or some other service.

With the criminals making fewer stupid grammatical errors and getting better at designing mocked-up sites, the one rule of thumb recommended by banks and security experts is to not click through links in emails from companies without checking they're safe -- and if in doubt, to head to the site directly to log in.

Nationwide, for example, stresses: "We will never ask you to update account details" via email. Action Fraud says: "Always remember that banks will never contact customers by email to ask for passwords or any other sensitive information by clicking on a link and visiting a website."

When we sent one sample email to PayPal's communication team to ask if it was genuine, the staff had to go away and check -- not even they could immediately spot a fake from a genuine company email.

Yet PayPal, Facebook and other companies continue to send out largely pointless communiques that ask you to do just that. Take the “Your monthly statement is now available” message (above) from PayPal – it's genuine and the link does go to the payment firm's site, but it's a dead ringer for a phishing email. The only give-away of its authenticity is the fact that it uses a direct name rather than “Dear Valued Customer”.

Admittedly there's a warning that you should go directly to the site if you're worried, but it's in the small print.

When we sent one sample email to PayPal's communication team to ask if it was genuine, the staff had to go away and check -- not even they could immediately spot a fake from a genuine company email.

Companies need to keep in contact with their customers, but their actions perpetuate the problem of phishing by getting the unwary or careless used to the idea that legitimate businesses actually do send messages asking you to log into your account via links in email. This creates an element of doubt where there needn't be one. It also erodes the message from security experts who advise never clicking through links and inputting passwords.

If PayPal and Facebook keep sending out such requests on a weekly or monthly basis, it makes life easier for phishers by training people to login via email links. It creates the kind of lazy consumer apathy that criminals love to exploit, and PayPal should work harder to avoid.

Read more

Blogs