eBay and PayPal users have been receiving them for years - emails asking the account holder to update their information; verify their identities; or warning them that their account was being shut down. And for years, users have scratched their heads, wondering if the email was legitimate, or an attempt by a scammer to obtain personal information.
The emails invariably require that the recipient log into their account using a link embedded in the body of the email. Legitimate email-links send users to their PayPal log-in screen, while scam email-links send users to a screen that looks exactly like the real PayPal log-in screen, but actually resides on the scammer's server - not PayPal - designed to collect the user's sensitive information.
In many instances, users can't tell a real email from a fake one. Apparently, PayPal can't either.
In January, I received an email with the subject header "Monthly Statement Available." The email invited me to log into my PayPal account through the link contained within and view my transactions for the previous 30 days. Having some knowledge of traceroutes and being able to check the "headers" of an email to discern it's origination point, I examined the email and came to the conclusion that it was legitimate.
Wanting to be 100 percent certain, I forwarded it, with headers, to firstname.lastname@example.org. Several hours later, I received a response from PayPal, thanking me for forwarding this "suspicious" email and confirming that the email was not sent by PayPal. It also advised me not to "enter any personal or financial information into this website."
A bit confused, I took a second look at the email's headers, reaffirmed that the email had originated from smtp2.nix.paypal.com, and resent the email to email@example.com. Again, several hours later, I received a similar response that the email was a fake.
The only conclusions that I could come to at that point, were: I evidently had no idea how to read email headers correctly, or, PayPal was sending this "stock" response to every user that sent an email to firstname.lastname@example.org
I saved all the correspondence, and moved on to other things.
A month later I received a similar email, with a similar subject line, inviting me to view my monthly statement online. Being curious, I checked the emails headers and compared them with the statement I had received the previous month. They were identical.
Well, I thought, this is either a legitimate email, or this scammer is very punctual. And off I sent the email to email@example.com again. Within hours I received a response from PayPal that the email was, indeed, legitimate and had been sent by the company. According to the response, "General Notification emails and Payment Notification emails are activated by default. Therefore, a PayPal user will need to set their Preferences to "not" receive these emails if they so choose." (I've since changed my preferences not to receive these.)
Again, I checked the headers, and decided that I should contact a spokesperson from PayPal and ask why two basically identical emails had been flagged differently - one as legitimate and one as a spoof - by PayPal.
To PayPal's credit, they acknowledged that there had been an error in identifying the initial email. A company spokesperson explained that links within emails make the experience easier for users to access their accounts. But what kind of experience would it be to find that my account had been drained of its funds because I guessed wrong on clicking on a link?
The point of this story is that trying to discern the legitimacy of an email is not an easy process for most users. If a company can't recognize their own emails with any degree of accuracy, how can it expect its users to? For end-users, it becomes a game of online "Russian Roulette," and guessing incorrectly could mean that your PayPal account could be breached.
The spokesperson from PayPal explained that this is still a problem and that links have been taken out of most emails to users, and coming up with a permanent solution is one of the highest priorities for the company.
Taking links out of "some" emails is no solution at all. It only adds to the confusion experienced by many users. Remove links to log-in pages from all email correspondence to PayPal users. Direct them to log in manually until a consistent solution is found.
Considering that other financial institutions, as well as ecommerce sites, have been targets of spoof email, this applies to all organizations that send emails to their customers.
If you get hoax emails pretending to be from PayPal, forward them to firstname.lastname@example.org. If it's pretending to be from eBay, forward to email@example.com.
PayPal Security Center
(Naturally you shouldn't use this link to sign in!)
eBay Security Center
eBay Tutorial on Spoof Emails
FTC Site on Identity Theft