Skip to navigation

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.

// Home / Blogs

Posted on February 15th, 2013 by Stewart Mitchell

How PayPal is perpetuating the phishing problem

paypalPhishing has been a problem for years, with ne’er-do-wells sending emails stuffed with links to lure you into typing passwords into their mocked-up sites resembling your bank or some other service.

With the criminals making fewer stupid grammatical errors and getting better at designing mocked-up sites, the one rule of thumb recommended by banks and security experts is to not click through links in emails from companies without checking they’re safe — and if in doubt, to head to the site directly to log in.

Nationwide, for example, stresses: “We will never ask you to update account details” via email. Action Fraud says: “Always remember that banks will never contact customers by email to ask for passwords or any other sensitive information by clicking on a link and visiting a website.”

When we sent one sample email to PayPal’s communication team to ask if it was genuine, the staff had to go away and check — not even they could immediately spot a fake from a genuine company email.

Yet PayPal, Facebook and other companies continue to send out largely pointless communiques that ask you to do just that. Take the “Your monthly statement is now available” message (above) from PayPal – it’s genuine and the link does go to the payment firm’s site, but it’s a dead ringer for a phishing email. The only give-away of its authenticity is the fact that it uses a direct name rather than “Dear Valued Customer”.

Admittedly there’s a warning that you should go directly to the site if you’re worried, but it’s in the small print.

When we sent one sample email to PayPal’s communication team to ask if it was genuine, the staff had to go away and check — not even they could immediately spot a fake from a genuine company email.

Companies need to keep in contact with their customers, but their actions perpetuate the problem of phishing by getting the unwary or careless used to the idea that legitimate businesses actually do send messages asking you to log into your account via links in email. This creates an element of doubt where there needn’t be one. It also erodes the message from security experts who advise never clicking through links and inputting passwords.

If PayPal and Facebook keep sending out such requests on a weekly or monthly basis, it makes life easier for phishers by training people to login via email links. It creates the kind of lazy consumer apathy that criminals love to exploit, and PayPal should work harder to avoid.

Tags: , , ,

Posted in: Random


Follow any responses to this entry through the RSS 2.0 feed.

You can skip to the end and leave a response. Pinging is currently not allowed.

9 Responses to “ How PayPal is perpetuating the phishing problem ”

  1. Nelviticus Says:
    February 15th, 2013 at 1:48 pm

    By coincidence I sent them a complaint about this very thing this morning. It’s made worse by the fact that, when you do log in, there’s no such thing as a ‘monthly statement’ anywhere to be found. They’re undermining trust in their own services.

  2. Charlie Says:
    February 15th, 2013 at 5:27 pm

    I have had a PayPal business account for many years and have never received an email from them similar to the one described above. The only emails received from PayPal are generated either as a result of my action or as a result of a payment received from a customer.

  3. Clive Pugh Says:
    February 15th, 2013 at 5:42 pm

    Why can’t they just ask you to sign in to your account by the normal means to get the info.

  4. Tim Says:
    February 15th, 2013 at 8:02 pm

    Well said. I thought the same thing last time they sent me what looked exactly like a spam email.

  5. lois Says:
    February 15th, 2013 at 9:05 pm

    I also received phishing email. Went directly to their website via internet. Notified their customer service. They never bothered to contact me. Very poor customer service.

  6. David Says:
    February 17th, 2013 at 5:52 pm

    My suspicious mind says if they get you used to doing something unsafe then when their systems (inevitably) get hacked (by some other means), they can blame it on you. Its the same with banks telling you not to let people see what PIN you are typing in, but the keypad is always far away from you so its impossible to shield.

  7. mp Says:
    February 19th, 2013 at 3:45 pm

    On the other hand, clicking a link is much more effective. Maybe users should be made more aware of how to check where the link is going and software should support that.

    I get annoyed every time I see a link in an email when reading it on my mobile as I can’t easily tell what it is pointing to, but it’s not the fault of the sender.

  8. John Says:
    February 21st, 2013 at 2:33 pm

    When another bidder withdraws their succesful winning bid. eBay sends an email out to you without your name on it. I don’t have an example but I think it says someting like Dear eBay user you now have the wiining bid.
    There is no way you can tell if it is genuine by looking at the email.

  9. Roy Bastiman Says:
    November 7th, 2013 at 2:50 pm

    If I am suspicious, most of the time nowadays, I click on ‘message options’ in Outlook
    It is quite easy to see the return path and other relevant info on messages


Leave a Reply

Spam Protection by WP-SpamFree

* required fields

* Will not be published






Your email:

Your password:

remember me


Hitwise Top 10 Website 2010