14 DAY TRIAL // In an ironic twist of faith, PayPal security staff mistakenly concluded that a legit email message sent by the company was a phishing attack. The message was forwarded back to them by a security professional who wanted to raise awareness about insecure practices.
Randy Abrams, director of technical education at ESET, the developer of NOD32 antivirus received an email message from PayPal, which contained a link back to an authentication form on the company's website. The security researcher decided to let PayPal know that this practice is exactly the sort of thing phishers abuse and that they should stop doing this.
We don't know if Mr. Abrams actually hoped for PayPal's policy to change due to his commendable effort, but we're pretty sure he wasn't expecting the reply he got. "Thanks for forwarding that suspicious-looking email. You're right – it was a phishing attempt, and we're working on stopping the fraud. By reporting the problem, you've made a difference!" the Paypal security staff responded.
It went on to congratulate the researcher for his diligence and to explain how identity thieves want to steal his personal information through fake emails and websites. It seems that PayPal knows a whole deal about phishing, and it should, since it is one of the most abused brands on the Internet.
According to a report from antivirus vendor Kaspersky Lab released in August, 60% of phishing emails in the first half of 2009 targeted PayPal and eBay users. The report notes that both companies worked hard to educate their customers about such scams, however, continuing to send links to login pages within emails only makes users less vigilant.
"That is why legitimate businesses should NEVER include links to log on pages, or most places. Not even PayPal support can tell the difference between a legitimate PayPal email and a phishing attack," concludes Mr. Abrams. "Again, this is a real, legitimate email from PayPal that I sent to them," he stresses.