728_header.jpg (23748 bytes)
 EB Blog 
 AB Blog 

EcommerceBytes-Update, Number 113 - February 22, 2004 - ISSN 1528-6703     8 of 9

Soapbox: PayPal Spoofed by Its Own Emails

By David Steiner

February 22, 2004

Email This Story to a Friend

eBay and PayPal users have been receiving them for years - emails asking the account holder to update their information; verify their identities; or warning them that their account was being shut down. And for years, users have scratched their heads, wondering if the email was legitimate, or an attempt by a scammer to obtain personal information.

The emails invariably require that the recipient log into their account using a link embedded in the body of the email. Legitimate email-links send users to their PayPal log-in screen, while scam email-links send users to a screen that looks exactly like the real PayPal log-in screen, but actually resides on the scammer's server - not PayPal - designed to collect the user's sensitive information.

In many instances, users can't tell a real email from a fake one. Apparently, PayPal can't either.

In January, I received an email with the subject header "Monthly Statement Available." The email invited me to log into my PayPal account through the link contained within and view my transactions for the previous 30 days. Having some knowledge of traceroutes and being able to check the "headers" of an email to discern it's origination point, I examined the email and came to the conclusion that it was legitimate.

Wanting to be 100 percent certain, I forwarded it, with headers, to spoof@paypal.com. Several hours later, I received a response from PayPal, thanking me for forwarding this "suspicious" email and confirming that the email was not sent by PayPal. It also advised me not to "enter any personal or financial information into this website."

A bit confused, I took a second look at the email's headers, reaffirmed that the email had originated from smtp2.nix.paypal.com, and resent the email to spoof@paypal.com. Again, several hours later, I received a similar response that the email was a fake.

The only conclusions that I could come to at that point, were: I evidently had no idea how to read email headers correctly, or, PayPal was sending this "stock" response to every user that sent an email to spoof@paypal.com

I saved all the correspondence, and moved on to other things.

A month later I received a similar email, with a similar subject line, inviting me to view my monthly statement online. Being curious, I checked the emails headers and compared them with the statement I had received the previous month. They were identical.

Well, I thought, this is either a legitimate email, or this scammer is very punctual. And off I sent the email to spoof@paypal.com again. Within hours I received a response from PayPal that the email was, indeed, legitimate and had been sent by the company. According to the response, "General Notification emails and Payment Notification emails are activated by default. Therefore, a PayPal user will need to set their Preferences to "not" receive these emails if they so choose." (I've since changed my preferences not to receive these.)

Again, I checked the headers, and decided that I should contact a spokesperson from PayPal and ask why two basically identical emails had been flagged differently - one as legitimate and one as a spoof - by PayPal.

To PayPal's credit, they acknowledged that there had been an error in identifying the initial email. A company spokesperson explained that links within emails make the experience easier for users to access their accounts. But what kind of experience would it be to find that my account had been drained of its funds because I guessed wrong on clicking on a link?

The point of this story is that trying to discern the legitimacy of an email is not an easy process for most users. If a company can't recognize their own emails with any degree of accuracy, how can it expect its users to? For end-users, it becomes a game of online "Russian Roulette," and guessing incorrectly could mean that your PayPal account could be breached.

The spokesperson from PayPal explained that this is still a problem and that links have been taken out of most emails to users, and coming up with a permanent solution is one of the highest priorities for the company.

Taking links out of "some" emails is no solution at all. It only adds to the confusion experienced by many users. Remove links to log-in pages from all email correspondence to PayPal users. Direct them to log in manually until a consistent solution is found.

Considering that other financial institutions, as well as ecommerce sites, have been targets of spoof email, this applies to all organizations that send emails to their customers.

If you get hoax emails pretending to be from PayPal, forward them to spoof@paypal.com. If it's pretending to be from eBay, forward to spoof@ebay.com.


PayPal Security Center
http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside (Naturally you shouldn't use this link to sign in!)

eBay Security Center

eBay Tutorial on Spoof Emails

FTC Site on Identity Theft

About the author:

David Steiner is President of Steiner Associates LLC, publisher of EcommerceBytes.com and the EveryPlaceISell.com merchant directory. David, a former television producer, handles business development and advertising for EcommerceBytes. You can reach him at dsteiner@ecommercebytes.com

You may quote up to 50 words of any article on the condition that you attribute the article to EcommerceBytes.com and either link to the original article or to www.EcommerceBytes.com.
All other use is prohibited.