PayPal says genuine email is a ‘likely’ spoof
A reader has sent us a link to a blog post made a few months ago about attempts to verify whether an email received was a genuine communication from PayPal. Our reader stumbled across it when trying to verify whether an email that landed in his inbox was genuine. Indeed it was, despite it looking a little dodgy.
In the blog post, the writer contacts PayPal customer support several times, goes via Twitter and even escalates the enquiry and is told variously that the email is definitely or ‘likely’ a spoof or phishing email despite the fact it was entirely genuine.
It came from the domain epl.paypal-communication.com. But PayPal reps repeatedly say it was bogus. You’ll enjoy the whole escapade, so pull up a pew and a cup of coffee to read the full correspondence. It’s a Chekhovian farce where the right hand doesn’t know what the left hand is doing. Even the firstname.lastname@example.org people, the official address they ask you to send suspect mails to, warns of the email’s dodginess.
Whilst on one level this rigmarole is humorous, it’s also a serious problem and a source of disquiet. Not only does it display some serious deficiencies with internal communications but also an inconsistency in domain usage. Phishing emails are a real problem still so it’s worrying that an organisation like PayPal can’t give the correct advice. Not least because it’s a business dealing with sensitive information and our money.
I remember getting this email but, in my case at least, I knew the supposed transaction made no sense. Hovering my mouse over the “links” showed some of them appeared very genuine but at least one simply didn’t look right.
So, as I’ve always done before, I acted to forward it to “email@example.com” only the email bounced back and, after several fruitless attempts, I gave up.
The only thing left for me to do was monitor my PayPal account and the dedicated Bank Account to which it is linked to check for withdrawals. None occurred but it’s left me rather concerned at the way in which I simply couldn’t get any help about this issue.
As always I’m getting “helpful hints” from PayPal about how I should be using their “One Click” buying system . . this phoney email and the lack of any ability to get PayPal to deal with it made my mind up . . in NO WAY am I going to make getting money out of my PayPal account ANY easier . . if only I could remove the automatic link between my eBay and PayPal accounts. Not easy and very inconvenient.
But then so would be getting money back from a fraudulent transaction if BOTH though it actually genuine!
Well today has brought out another batch of phishing emails that have been generated by use of one or more PayPal databases . . two emails received within the last hour have been delivered to my dedicated email address that I use ONLY for one PayPal account.
One stated I had received a “four page E-fax” . . sorry but was unable to deal with that as the string between my two tins had broken . . and the other warning me that I needed to get my accounts into “companies house” urgently. That one was a little easier to spot simply because as I’m a “sole trader” operating well under the VAT threshold I have no need to communicate with “companies house” and within the first line of the text it clearly stated that I had to “deliver my accounts in an acceptable manner not later than 31/06/15 . . . oops! I have been forgetful, haven’t I?
The important thing is that both these emails were sent to a dedicated email address I use for NO OTHER means of communication than PayPal . . so are they then as “forgetful” with their security regarding their databases as I am in – apparently – getting my accounts back?
Looks like I need to waste part of my day creating a new email address and then getting both PayPal and eBay to recognise it!
They didn’t necessarily get your email address from a PayPal database – spammers sometimes just sent email to every possible email address, eg targeting Gmail they send email to a@ gmail.com b@ gmail.com aa@ gmail.com ab@ gmail.com etc etc
Yes, that sort of “automatic phishing” is purpose made for a computer to carry out tirelessly but if you consider how my email addresses are set up you’ll know why I still am apt to consider a leaky database.
I NEVER use any of the web-mail services, my own private email is a paid for account not linked to anything else and I use multiple paid for domain names. The one in question has no WHO IS information, has no web-site attached or simply “parked” to it’s name and is even almost unpronounceable being a word I made up myself. It’s only use is for PayPal, either linked to eBay or for other purchases, never any sales.
So if a trawling-trolling computer found me it was well less than one in a billion . . surely as I’m now getting a steady stream of phishing emails it’s equally if not more likely that it’s been “lifted” from PayPal themselves?
I had an identical issue with an Amazon eMail.
The email received is warning about an account change, which was made on my account (in effect locking me out).
On my contact via phone with Amazon CS, the rep confirmed with me that it definitely a scam/phishing eMail.
This is definitely not the case, as I have truly been robbed of my access to said Amazon account.
So I see it to be a two-fold concern here.
1- The warning sent to me is in vain, because I have no way to act on it, although the actions/changes are not authorized.
2- The valid Amazon eMail is claimed, by Amazon personnel, to be a scam.
SumItUp: All the very needed hype regarding phishing eMails, calling for extreme diligence, is actually being used against our (online users) security.
Never click of them spoofs your paypal and ebay account will be compromised and emptied
An important point here and one little known about. Most email client software, Thunderbird, Outlook, etc., have a default setting of “three windows” with one of these being whatever email your mouse has highlighted being opened and shown.
Now, we are ALL told do not open what you believe to be dodgy emails so this default setting may prove a cause for concern. The way around it is go to the choices or options often shown under the “view” heading and click those options to remove the “message pane”. This gives a “side by side” layout of your folders and the content of each as selected . . but only the title of each email.
By using this method, which doesn’t impact on my ease to read emails, I reckon I “send to junk” about 75% of dodgy stuff sent me without even opening them.
No-one’s PayPal e-mail address is secure, regardless of whether you “only” use it for Ebay purposes or however weird and unguessable the words are – for the simple reason that you reveal it to the buyer every time you sell an item on Ebay.