Friday, June 17, 2005

PayPal's Comical Anti-Phishing Page

Picture credit:
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueI have a PayPal account, which I use only sporadically. And I just received an email purporting to be from PayPal itself, which addresses anti-phishing techniques. This should be fun. Let's review PayPal's advice for avoiding phishing scams (which they call spoofing). Entitled "Protect Yourself from Fraudulent Emails", it's actually somewhat comical.

Here's the first "warning sign" of a bogus email, according to PayPal:

Generic greetings.
Many spoof emails begin with a general greeting, such as: "Dear PayPal member."

In other words, the spammers can't address you by name.

According to the security page, after you recognize a phishing attempt, you are advised to immediately contact their anti-fraud department:

Forward the entire email - including the header information - or the site's URL to We investigate every spoof reported. Please note that the automatic response you get from us may not address you by name.

Talk about an enigma wrapped in a riddle... PayPal advises you to report any bogus email purporting to be from their organization. The first way to recognize a fraudulent email is a generic greeting. And when you send in a report of a phishing attempt, PayPal responds with another email that (using their criteria) also appears to be bogus. For the love of...

And here's warning #3:

Fake Links.
The text in a link may attempt to... send you to a spoof address [sic]... be aware that a fake link may even have the word "PayPal" in it.

Interesting. First problem: the PayPal anti-fraud page uses a domain name of, not What the...? Can't anyone here play this game?

Yet another interesting aspect to the PayPal anti-fraud message is their attempt to get you to download a "helpful toolbar". Here's more from their security page:

...If you use Internet Explorer, download the eBay toolbar. Account Guard helps ensure you are on PayPal or eBay. Download the eBay toolbar now...

This is almost too easy. My prediction is that phishers will create and pitch a fake eBay toolbar using their typical, massive spamming campaigns. For the phishers, this is an even better deal. Users will install a truly malevolent trojan themselves, all under the guise of increased security.

You heard it here first.

In my opinion -- and, for at least the three reasons listed above -- the PayPal anti-phishing page leaves a lot to be desired.

The only realistic way to deal with the phishing scourge is to use digital signatures and intelligent email clients (preferably web-based) to ensure that the guy who says he sent the file really did so. Yahoo has released a proposed standard called DomainKeys that does exactly that.

I think I'll wait for DomainKeys, thank you.

PayPal: Protect Yourself from Fraudulent Emails

No comments: