PayPal confirm genuine emails are spoofs
26/05/2008 at 18:31
I received an email from PayPal last week, notifying me of a payment reversal by the buyer’s bank. I wouldn’t normally quote such things in full in public, but I don’t think I’m betraying any confidential information here because the email is strangely lacking in any sort of information at all:
We have placed a temporary hold on the funds until our inquiry is complete.
We are contacting you to learn more about this transaction.
To help in our investigation, please reply with the following information within seven calendar days:
#. Details about the item you sold
#. The buyer’s name and address
#. Whether or not the item has been sent. (If you have not yet sent the
item, please do not send it.)
#. A phone number where you can be reached for more information
#. Any email correspondence you have had with the buyer
If you have already sent the item, please also provide:
#. Name of the delivery service used
#. Date of posting
#. Tracking number
For transactions of $250.00 USD or more, please let us know whether you
would be able to provide a proof-of-receipt in the form of a signature
from the buyer.
I was really not sure whether this was a real email or not. So like a good eBayer, I forwarded to spoof@paypal.com. Then I signed in to my PayPal account, and sure enough there was a reversed transaction. Was this a real PayPal email, or just a spooky coincidence? I erred on the side of protecting my PayPal account, and replied to the email with the information requested.
This morning, I had two emails back from PayPal: one from customer support thanking me for the information I’d supplied, and the other from spoof@, thanking me for forwarding the spoof email and confirming it wasn’t genuine.
At this point, I started to wonder whether it was me or PayPal who had gone mad: but Jane the demon bead lady confirmed in our forum that exactly the same thing had happened to her.
I can understand that PayPal might not want to send out confidential financial information in emails, but the above email is completely inadequate. How many sellers are going to see it lacking any kind of credibilty, assume it’s a spoof and delete it, only to have PayPal return the payment to the sender a week later because the seller hasn’t complied with the information request. At the very least, this should say “please sign into your PayPal account and supply us with the information requested through our website”, rather than using email for investigations.
As for spoof@paypal.com, it’s long been my suspicion that they tell us that everything is a spoof, just to be on the safe side. If genuine emails can and are being flagged as phishing, then really what’s the point of having spoof@ at all?
In the meantime, any sellers receiving such an email should sign into their PayPal account to check whether a payment really has been reversed before replying to *or* deleting the email.
DBL says
8:12 pm on 26/05/2008
Just like to add that the Paypal logo etc was not on the email and it was addressed to my business name not me and that even proper spoofs can manage that!
A little poor
Sue Bailey says
8:32 pm on 26/05/2008
Same here, Jane: plain text email with no logos etc.
mildlyirritated says
9:43 am on 27/05/2008
I have an issue with Paypal email asking for details. Due to the prevelance of spoof / phishing emails etc I am paranoid about not answering emails, however there seems to be no mechanism in paypal to provide these details from within paypal i.e within the resolution sytem.
I have contacted paypal about this but didn’t get far.
Berta says
10:30 am on 27/05/2008
This is indeed shocking. Sue, I actually had to read your sentence about spoof@paypal.com‘s response several times to make sure I was reading it correctly and there wasn’t a typo (the double negatives got confusing). My online bank offers an “online bank mail” system that can only be accessed when logged into the account and keeps a record of the emails sent back and forth; I wish PayPal would have the same.
Sue Bailey says
10:53 am on 27/05/2008
Sorry about the double negatives, Bertha. I’ll try to lose my habit of using them. My history teacher said it’s Latin’s fault.
bonni says
9:41 am on 30/05/2008
I’ve had PayPal tell me that a genuine email is a spoof, and also eBay, actually. I agree with the supposition that they just automatically say EVERYTHING is a spoof. I suspect they have autoresponders and no real humans even looking at them.
DBL says
12:05 pm on 30/05/2008
I called Paypal, they told me to put the info asked for in the contact us form on the website rather than respond to the email that they told Sue was genuine and told me a was a spoof.
The hold has been lifted this morning and all is well, I don’t know about you Sue, but I think it may be another BBL entry here at DBL Towers!
Sue Bailey says
12:09 pm on 30/05/2008
I am less forgiving than you – the buyer was BBLed before I did ANYTHING else