PayPal UK has sent out an updated user agreement email to its customers that manages to violate its own tips on how to avoid phishing scams. The payments process outfit disputes the accusation. The message - sent out on Tuesday - bears one of the hallmarks of classic phishing emails by encouraging users to click on a link to …
i took 1 look at it, saw the link...
and deleted it as spam... if i see a link in email, 99.9999999% of the time its a phishing email so its ignored. Bloody idiots are in charge at paypal *again*
OMFG - Fail, because this is an epic one.
i didnt trust the subdomain.
i also found it odd i got 2 emails quite close together, just like phishing emails.
ditto here too
Took one look and marked it as spam.
you + 3
you and the three idiots above are ...well, idiots.
the paypal e-mail clearly addresses you by your first and last name. That is an exceptionally good pointer as to whether the e-mail is real or fake. When I saw I was being properly addressed I had no qualms about clicking the link after hovering over it.
It won't be too long before your bank balance is in Lagos then, if you think that that's good enough evidence for an email to be genuine.
You're the only idiot here.
Oh, and you can't count either.
@AC 12:38: Sorry but I just burst out laughing when I read your post. You obviously don't see that many spam and phishing scams because if you did, you'd know that most start off with... "Dear email@example.com" for PayPal scams and "Dear YourEbayUserId" for ebay scams.
Secondly, if the domain begins with "http://something.paypal.co.uk/..." it's still genuine unless PayPal have had their DNS hacked, and then even www.paypal.com would be suspect. It's definitely a scam if the address is "http://something.paypal.co.uk.another.domain.com/..." because then the parent domain is "domain.com" and not "paypal.co.uk."
Plus, if PayPal write in an e-mail "to read the agreement please type www.paypal.co.uk into your address bar" most half-decent e-mail clients will recognise "www.paypal.co.uk" - and hey presto, you have a link in your e-mail even if PayPal didn't put it in. That's then perfect for scammers who could put the link in, but with a completely different URL.
Another idiot who is far too trusting...
or even better?
. . . don't use PayPal at all
quite a few companies have lost my business because of switching to PP, they probably don't care because their costs are lower (and sales as well obviously, but no bean counter measures that)
and yes my bank is just as bad at not following their own advice about links <sigh>
I ignored the link in the email and looked for the changes from their home page.
Let's be careful out there.
I was concerned at first but I clicked the link after:
1.Checking the URL it was pointing to.
2.Verifying the email address they'd used.
Everyone I have contact with gets their own unique address to use. That way I can blacklist them if I have to and I can track spam. I might not know who actually sent the spam but I know who to blame :)
Yup...I do the same, so knew the mail was from them. However if some disgruntled employee at pay pay were to sell their mailing list to phishers then that wouldn't help much.
Personally I took the oppotunity to manually type in their link, log in, and cancel my account.
Happened at least twice before that I can remember. Hate paypal with a passion, but often have no real alternative.
no real alternative ?
Beg your pardon ? Ever heard of Visa ?
I have never had - and never will have - a PayPal account, and I manage to buy stuff on the Internet all the time.
Of course, I can't buy where they only accept PayPal, but if that's the case well tough for them, I take my money elsewhere.
Ever heard of Visa ?
Ever heard of Verified by Visa?
They do this with every single email they send out, in fact I've forwarded a few of them to your news desk pointing out the fact.
...in my mailbox. I deleted it, thinking it was a scam.
"Users are advised to check the URL of any link to make sure it does not direct them to something unexpected, as you know they can do this by hovering their mouse over the link"
Errmmmm what now?! Last time I checked that wasn't a particularly secure way of checking where a link points (altho I do admit it is a step up from clicking on it to see).
PayPal screwed up not sticking to their own advice - it makes it sooo much easier for scammers to target them because they can't say "we never put links in our emails - just type it in the addr bar!" any more. It's easy to confuse ppl that are already likely to fall for that kind of scam by padding the hell out of the link URL with a ?randomcrapgoeshere on the end. As long as they see PayPal.com somewhere in there chances are they'll click.
Re: Bad advice
"Last time I checked that wasn't a particularly secure way of checking where a link points"
I use a mail client that renders HTML email as plain text. The links are then exposed, so you can compare the link text with actual link. Makes spotting phishing emails much easier.
That was a genuine email?
Oh hum, best go check their site and see what new screws they're adding to the list of requirements now.
By typing it in manually of course :D
Smile.co.uk get this right
I bank with smile.co.uk, who get this right - they never send a link in the e-mail, always telling you to go to the home page and log in.
It's really not rocket science, but I suspect marketing departments of insisting on it looking pretty and being trackable, and to hell with the security...
Smile also have a "secure messages" system, so you get an e-mail like the following when they need your attention. No scope for phishing here!
12th July 2010,
Hello Mr Collins
We've sent you a secure message. Please log on to read it.
As the link wasn't to a paypal URL I assumed it was fishing.
So, what changes to the Ts & Cs are they trying to get past us?
Just got it out of my trash bin
Didn't trust that the URLs were all email0.paypal.com/...
Anything under paypal.com/ is under PayPal's control. If an address like http://email0.paypal.com/ is scamming you then they've had their DNS hacked, and you can't even trust www.paypal.com then.
Worry if the address is something like http://email0.paypal.com.dodgy-domain.com"
Very strange concept of security at PayPal
I got an email from PayPal promising to improve the security of my account
You linked your debit or credit card to your PayPal account on Aug xx, 2010. To make sure the card is yours, we made a small charge to it that you'll need to confirm (and we'll refund the money to your PayPal account when you're done).
The charge creates a unique 4-digit code on your card statement. If you don't see the charge right away, don't worry - sometimes it takes a few days to show up.
When that's done, you'll be able to pay safer online with your card through PayPal - without ever exposing your financial information to sellers.
I followed the instructions to improve my security, and got the following response
Congratulations! Your withdrawal limit has now been lifted. You can now withdraw unlimited funds from your PayPal account.
This means that I am now liable to unlimited losses. What an improvement in security!
I asked for my limit to be reinstated, and this is the response
I regret to inform you that we are unable to apply a withdrawal limit on your account. Now that you already have a Personal Verified account, your withdrawal limit has been lifted.
Just goes to show
They dont give a fuck
When I saw that a withdrawal limit was placed because the card wasnt verified, it occurred to me that it was quite good idea to proceed no further.
All of the mails from them are sent by a marketing outfit (EmailVision). The links and linked images refer to emv2.com, which has no index page. Clicking any link takes you to the sainsburysbank.co.uk site, so they are just click-counting, old school.
However - the mails tick all of the boxes to be phishing mails!
Closed account was best option.
Read the email, didn't like the 0 in the server address - verified it was genuine.
Read the full terms, didn't like the I will have to pay extra% dependant on sellers country.
Followed the advise on closing my account.
ALL of their Updates are detected as Spam
I always go direct to site.
I'm never much wiser afterwards as PayPal T&C are as clear as Elbonian Mud.
That's a slur on Elbonian Mud.
I'm another who thought it was a scam.
But it reminded me to cancel my PayPal account so it's all good.
I got an email from Barclaycard with a link to a web promotion. Unsure if it was genuine or fake, I emailed Barclaycard via their website contact page asking if the email was real. Their reply? We can't discuss confidential account information by email, please call us on 0845.....
terms and conditions
It's rare that I can be bothered to read the small print, but I did and para 4.16 (I think) basically said that paypal can't be held responsible for anything they tell you in email, in person or on the phone... I think that's a new record in lack-of-corporate-responsibility, so I cancelled my account.
"Hovering their mouse over the link"
Won't these people ever realise that there is more than one email client and they don't all do the same. If you use a sensible client like Messenger Pro the URL you see is the URL you get. You don't get any html nasties like fetching remote images or executing active content unless you deliberately choose to open an html part in a browser (or follow the link).
Wait - it WASN'T spam?
Who'd have guessed? Well, not me.
Reminds me of the time that HBOS outsourced their mailshots to a 3rd party bulk mailer with a domain registered to a caravan park. For reals.
PayPal loves me...
... at least according to their pop quiz. Question 4 is "A PayPal email will never contain (a) declarations of love, (b) images, (c) attachments or software".
Since (c) is the right answer, I have to assume PayPal is planning to send me declarations of love.
The Wife forwarded hers straight to the Paypal abuse address. She is well trained. No auto-response yet (from Paypal, I mean).
Paypal Safety Advice
Paypal's legitimate "safety advice" pages are hosted on a separate domain, paypal-marketing.co.uk. Comically some wag has flagged it as a fraud site to phishtank.com amongst others which means Opera at least won't let you see it by default.
Just say no
It's stuff like this which confuses the average non-techie user.
This is why it's safer just to say no, avoid links contained within email, and thus live a happier life.
Clicking on web links inside emails is about as beneficial has taking money out of an ATM after midnight - nothing good can come from it, unless you're trying to get wasted, or screwed.
eBay/PayPal/Donahoe: Dead Men Walking
Has no one yet noticed that the eBay Marketplace whale is high and dry on a beach somewhere, has died, and is starting to stink? And then there is PayPal that, some say, has always stunk:
Draft Media Release re PayPal
“It is with great sadness that eBay’s Chief Headless Turkey, John Donahoe, announces the probable demise of eBay’s most ugly daughter, PayPal. Donahoe says that PayPal is about to be stricken by particularly virulent strains of Visa+CyberSource and Mastercard Open Platform, and these afflictions are aggravated by PayPal’s insurmountable lack of direct financial institutions support and a great deal of PayPal user dissatisfaction, particularly with respect to PayPal’s grossly unfair, “all responsibility avoiding” user agreement, totally primitive risk management processes, and grossly unprofessional, usually buyer-biased, fraud-facilitating (indeed, non existent) transactions mediation, to name just a few of the problems that PayPal merchants have to endure.
“Donahoe says that PayPal’s health may therefore be expected to deteriorate and, if ultimately not completely incapacitated, will most likely be eventually confined to its mandatory offering on what little there will, by then, be left of the Donahoe-devastated eBay marketplaces. There is no cure for this condition, and the “eBafia Don” is particularly saddened by the inevitable presumption that it is unlikely that PayPal, will be able to continue to underpin eBay’s sagging bottom line too far into the future.”
Yes, it’s a send-up but, still, it accurately describes PayPal’s most unprofessional and “clunky” operation. The fact is, had the developers of the original “bankcard” concept ever behaved the way PayPal behaves towards its payees in particular, credit/debit cards may never have gotten off the ground, and we would probably still be paying for all our purchases with bits of paper and little metal discs.
A detailed examination of and prognosis for PayPal, (including a link to the “PayPal Horror Tour”) at:
Shill Bidding on eBay: Case Study #4
This latest study is a measure of eBay’s desperation to replace lost revenue and very effectively demonstrates eBay’s effective aiding and abetting of this criminal shill bidding activity, at
eBay/PayPal/Donahoe: Dead Men Walking.
Read the email
If you read the email it also stated that you could type in paypal into your browser's URL address bar. So I read that and typed it in and didn't find anything wrong at all.
- JLaw, Kate Upton exposed in celeb nude pics hack
- Google flushes out users of old browsers by serving up CLUNKY, AGED version of search
- GCHQ protesters stick it to British spooks ... by drinking urine
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- Something for the Weekend, Sir? If you think 3D printing is just firing blanks, just you wait