back to article PayPal mistakes own email for phishing attack

Banks and financial institutions are fond of lecturing customers about the perils of phishing emails, the bogus messages that attempt to trick marks into handing over their login credentials to fraudulent sites. Yet many undo this good work by sending out emails themselves that invite users to click on a link and log into their …


This topic is closed for new posts.
  1. Anonymous Coward

    Been there, done that

    "We need loads of information from you to verify your identity because your account has been broken into", Paypal unexpectedly tells me a few months back.

    "What?!", I reply.

    "Er, nothing", says Paypal.

    "But I had an email from you saying otherwise! Here it is complete with headers proving it's from you", says me.

    "You're account's fine. It's a phishing scam, you should be careful of that", says Paypal.

    "Goodbye", says me.

  2. clint11
    Thumb Down

    PayPal emails

    I had an email from them a couple of weeks ago stating that they had tried to put money into my bank account but my bank account had been closed.

    I replied via the PayPal site and they said it was a genuine email also stating in the reply that it was my banks fault, although enquires at my bank showed no link to any PayPal transactions.

    1. Maverick

      they are all muppets

      @clint11: that's because PayPal are a set of half witted twunts and I avoid them if at all possible, which means I haven't bought anything from eBay in years

      and GoogleCheckout is only very, very slightly better - they also do random events / order cancellations and never reply to emails

      funnily enough I had an email from my bank (NatWest) this morning, contained 3 different links - think it was genuine but I simply deleted it anyway because

      on THEIR advice "phishing emails are usually sent out in bulk and often do not contain your first name or surname" - it didn't of course "sophisticated email messages can contain links or forms that you may fill out just as you would do on a legitimate website" <sigh>

  3. adnim

    Not sure about this

    "Not even PayPal support can tell the difference between a legitimate PayPal email and a phishing attack,"

    Surely the embedded link that points to gives the game away,

    Why don't Paypal and banks etc. sign their emails with pgp?

    1. mfraz

      Here's an idea

      Why don't they just send emails in plain text?

    2. Cameron Colley

      Don't you mean you mean a link like this?


  4. Pandy06269

    How is this news?

    "...make exactly the same security faux pas"

    How is this a "security faux pas?" In fact, how is it even news?

    Yes, it shows just how good the scammers are. But come on, this would have been much more news worthy if PayPal had told the customer that a scam e-mail was genuine and to go ahead and give away their bank details to a scammer's website.

  5. Chris Beach


    Are you sure about banks?

    I get nothing legit from my main bank HSBC, and I only get 2 emails each from my other two CC's and they are just to tell me statement's done, and then one to please pay. But neither email contains a logon link, or in fact how much I owe.

    1. Aristotles slow and dimwitted horse
      Thumb Up

      Agree with Chris.

      I am with First Direct and get no comms from them via email. This also goes for 2 of my credit card suppliers.

    2. Nick Stallman

      Me too

      ANZ in Australia also sends me emails when my bank statement is ready and it has no links, addresses me by name and is completely plain text.

      I was very impressed that they do it so well.

      They dont even have their logo at all.

  6. Jamie Kitson


    Posted this six months ago, third paragraph:

  7. Anonymous Coward

    Colour me unsurprised.

    It would already help tremendously if all those warm bodies at those companies could manage to write a reasonable email. But since everybody including even techies nowadays have forgotten how offensive it is to top-post, not trim, and instead habitually smash the mail back in your face with their crayon scribblings on top, and manage to write incomprehensible gibberish even after application of spelling AND grammar checkers, I'm not surprised that people still fall for the stellar writing performances the very best of seasoned nigerian 419 scammers bring to your very own email inbox. In that light it is astounding that they catch less extravagant phishes on occasion.

    Regarding PGP: Not to put a too fine a point on it, but if people cannot manage to write comprehensibly, then expecting them to manage using crypto is a complete folly. It is rather like asking someone who has trouble holding a crayon and needs to extend real effort to bring its business end to bear on paper, to neatly fold the sheet, put it in a windowed envelope such that the address on the paper is readable through the window, and seal the envelope. If you think this is too pessimistic, find a copy of the paper titled _why johnny can't encrypt_. Read it and weep. Or not. I for me have no tears left for the great unwashed.

    1. Anonymous Coward


      If I receive another email along the lines of...

      "Can you comeand for me to computer problems for me"

      I'm going to go postal.

  8. Myopic Aardvark

    Always Suspicious of Paypal

    I haven't used Paypal in years, since they screwed up a transaction, leaving me very red faced.

    My wife will occassionally dabble in eBay purchases and every single time she uses Paypal, she gets a flurry of emails through claiming to be from random banks within a few seconds of completing the transaction.

    The irony is she works for the first bank in the spam list.

    (The first time this happened, I made sure her PC was clear of viruses and the usual culprits which it was - we've test this on multiple PCs now and it's always the same - kind of proves that Paypal transactions lead to unwanted Spam).

    1. Anonymous Coward

      True dat

      I've use distinct email addresses for each online service that I sign up to. I was fine using ebay & paypal for a while, but then there was one transaction I made and immediately started getting spam to both those addresses, which naturally now gets forwarded to dave null.

      I concluded that the vendor in that case had some form of infection on his computer that was sending email addresses to a spammer.

  9. this

    Banks, and another thing...

    ...I love it when they phone you up out of the blue and immediately start asking you security questions to prove *your* identity. I always ask them how do I know they're who they say they are as my phone says 'number withheld' and they generally get put out by my effrontery.

    1. ravenviz Silver badge
      Thumb Up

      Phish back

      I made the mistake of getting a loan quote online just out of interest to know what loan repayments are like these days, of course I had to provide my phone number (doh!). I got so many calls about loans I ended up replying to them that how did I know they weren't a scammer! To answer, "Can you confirm your address" with "I'm sorry I can't do that over the phone" led to a response of "we're not getting very far with this" and they ended the call! I didn't get any more calls!

  10. Tom 35

    My Bank

    Never sends marketing junk emails, and the rare event that they think they have something important to say the email just says I should log onto my web banking account with no links. They post stuff as privet messages that appear after I have logged on.

    But a couple of years back they used to call me and ask for personal info to prove who I was. I pointed out that they called me, and I didn't know who they were so I was not going to give out any info. It took them a while to catch on but they don't do that any more.

    I don't have a paypal account and don't plan to any time soon.

    1. Anonymous Coward
      Anonymous Coward

      Privet messages . . .

      . . . dabbling in hedge funds, then?

    2. Anonymous John

      @ Privet messages

      You have a hedge fund?

    3. Captain DaFt

      @:Tom 35

      "They post stuff as privet messages that appear after I have logged on."

      So, you have a hedge fund with them?

  11. John F***ing Stepp

    Rotating responses


    ...I love it when they phone you up out of the blue and immediately start asking you security questions to prove *your* identity. I always ask them how do I know they're who they say they are as my phone says 'number withheld' and they generally get put out by my effrontery.


    I kind of mentally flip a coin and use . . .

    Well actually my favorite is to use a little child's voice and tell them my parents have been gone for three days and that I am very hungry.

    I have really heard a phone solicitor cry.

    (but, you know, they really don't feel pain like we do.)

  12. Criminny Rickets

    Right Hand vs Left Hand

    I received an email from Paypal about a month ago with a special offer of a bonus from them for updating my account. The email contained a link to follow to update my account. Highlighting the link, it looked like a legitimate Paypal site, except it was to http rather than https. As I had already fulfilled the pre-requisite prior to receiving the email, I called their support number. They didn't know anything about the offer and thought it might be a phishing attack, so had me forward the email to their investigation department.

    I just received an email from them a few days ago letting me know I had received my bonus. I logged into my Paypal account, and sure enough, it was there.

  13. Ed 4

    Paypal's been going downhill

    When I first started with Paypal, it was after doing a fairly intensive review of their policies and the various online comments about their service with several of my friends. There were a few interface WTFs, but the service worked fairly reliably.

    As the years went by, there were more and more WTFs. When eBay bought them, the rate of new issues went up, and, one by one, my friends and I quit using it.

    I haven't used Paypal in several years. However, from the various comments I've read about paypal, and the various emails I get from PayPal still, I'm guessing there's still more WTFs being added than removed at any given moment.

    That having been said, it's entirely possible that they have decided to start sending out their own phishing attacks, in order to perform some targeted user awareness training. Of course, this is still a WTF, as they're obviously not aware that some of us read our email in the raw, rather than using some fancy HTML rendering engine (Note: I use a fancy HTML rendering engine, but only for emails from non-commercial orgs.&nbsp; Any email from a financial company with which I've ever done business triggers a plain text display filter), and they're obviously not communicating about said messages to their staff.

    However, my bet is that these are real phishing messages, sent from bots within Paypal - which, I think, is a bigger WTF.

    Re: Colour me unsurprised:

    Top posting vs. nested replies is context sensitive. Using a nested reply, with appropriate conversation trimming, in the wrong context is as bad as top posting in the wrong context. Both are, IMHO, preferable to the context-free replies that some people give. But you are right - it is disconcerting how few have any semblance of netiquette awareness...

  14. the spectacularly refined chap

    They can't get their act together

    Forget everything they say, their actions speak louder.

    emails that contains links are often cited, but their are often other issues that make even legitimate mails look fraudulent.. For example if you select plain text email most of the problem goes away since the phishing mails are invariably HTML formatted and can be spotted a mile off. However some one off messages don't seem to have a plain text form and are only sent as HTML, muddying what should be a clear cut, hard and fast rule.

    Then I remember receiving a mail from them recently (again HTML formatted in contradiction of my preferences) that reassured me that it was genuine simply because it was personally addressed to me and forgeries never were. I couldn't believe even Paypal could be that stupid but the headers checked out and the embedded links really did point to Paypal.

    So, according to Paypal anything that contains my real name is legitimate. It is obviously impossible for anyone to get my name from a usenet post or wherever else they originally got my address from.

  15. Giles Jones Gold badge

    HTML Email

    HTML emails screwed everything up. If everyone had stuck to plain text then maybe so many junk emails and adverts wouldn't be sent. Spam would look boring and uninviting as well.

    Of course you can disable viewing it in some email clients.

  16. RW

    @ mfraz & @ this

    mfraz: "Why don't they just send emails in plain text?"

    I purposely use an ancient email client that allows you to turn off HTML rendering (Pegasus 3.12). Most emails with an HTML version also include a text version, but a few don't; and some simply reiterate the HTML as text, which produces an unreadable result.

    Yes, plain text would solve a lot of problems. Too bad that Dear Redmond thoroughly muddied the waters years ago by allowing html in the body of an email.

    this: "...I love it when they phone you up out of the blue and immediately start asking you security questions to prove *your* identity. I always ask them how do I know they're who they say they are as my phone says 'number withheld' and they generally get put out by my effrontery."

    I have to give credit to my bank: when their CC security called to verify the validity of a charge, I did the same thing, and got the reply "If you prefer, you can call the toll free number on the back of the card." That was enough to okay it in my eyes, but it was also noticeable that the gal on the phone had merely asked if I was so-and-so, then if a CC charge for X euros to such-and-such place was valid. (Which it was, as it happens, but better safe than sorry.)

    Clearly, somebody at my bank has a clue and has properly trained the security folks.

    A ray of sunshine on an otherwise dark and cloudy scene.

  17. Spanners Silver badge


    My bank used to call me in this way in the past and start asking me questions. I just started to ask them questions back which they generally couldn't "because of the data protection act".

    Perhaps we have the same bank? Equally likely, some security consultant being paid huge rates told them both. I am always willing to give blatantly obvious advice for half that,,,

    1. Steve Brooks

      proof of identity

      "My bank used to call me in this way in the past and start asking me questions. I just started to ask them questions back which they generally couldn't "because of the data protection act".

      I deal with a lot of telecoms related issues, mainly to do with internet in Australia. One of our largest ISP's, Bigpond, does this also. They will call a customer up out of the blue, tell them their is an issue with their account payment, then ask for their USERNAME and PASSWORD as proof of identity. (yes I put it in caps just it make it clear it is actually that, the same ones they use to log into their ISP account, the same ones they use in their email account, the same ones they put into their modem).

      The last time I fielded a call like that I had the same thoughts, so I asked for their name and user ID and for a number to call them back on. They said, "sorry we can't give out our inbound number." But actually I wasn't going to use that number, they could give any number and how would I know its not the number of ISP, I just wanted it to check against the ISP number. So then I just said I would call on the national contact number and ask for them by name and ID, couldn't do that either, there is apparantly no way to get forwarded from the national call centre to their department, so a big dose of FAIL all around.

      These sorts of systems just encourage social engineering attacks, no wonder many members of the big unknowing internet using masses get caught all the time when their ISP does that.

  18. VinceH

    Stock response

    As some of the comments on Abrams' page state, the email he received "confirming" the one he sent them was a phishing attempt is just an automated reply sent out as standard to anything sent to As "a former Microsoft staffer who is now director of technical education at anti-virus firm Eset" he really should realise that.

    Switching to telephone calls from banks, as others have commented here, I too have occasionally had calls from my bank and credit card companies, who then go on to ask me security questions. Some of which I don't mind answering due to the absolute lack of security they provide, others of which I flatly refuse to answer. I thought this had come to an end until a few days ago, when my credit card company rang me and... well:

  19. wsm

    Right the first time

    Paypal should realize they were phishing, contact the responsible corporation and run them out of business. Problem solved by those who caused it. Imagine that!

  20. Anonymous Coward

    Great quote

    ""Not even PayPal support can tell the difference between a legitimate PayPal email and a phishing attack," Abrams notes."

    This made my day :)

  21. foxyshadis


    LMAO, you think Microsoft invented HTML email? Damn, you're dense. They've been around in one form or another since 1992 (as a pre-HTML rich text with HTML-like tags), and HTML itself was supported by Netscape 2.0 in 1996. Microsoft didn't get this capability until Outlook 2000!

    Not only that, but you don't need to stick with an ancient client - all modern clients allow you to view everything as plain text, too, except web-based ones (obviously). Have you ever bothered to try one?

    1. Mark Boothroyd

      web based email and viewing plain text

      "all modern clients allow you to view everything as plain text, too, except web-based ones (obviously). Have you ever bothered to try one?"

      Not true about web based emails, at least not the two I use.

      With Hotmail ( nowadays), just right click on the message in your inbox and select 'View message source'.

      With Google mail. open the message, then click the drop down arrow in the top right of the message window (next to the reply button) and select 'Show original'.

  22. Dave Bell

    It's the marketing surveys

    In the past I've had email surveys purporting to be by Paypal, coming from some unknown-to-me source.

    And, yes. they have been genuine. Paypal employs some contractor to do the work. It's a skilled and specialised job. But they do tend to trigger the warnings Paypal specify.

  23. The First Dave


    "back-handed tribute to the eBay subsidiary's success"

    I think that really this is a tribute to how easy it is for scammers to get money out of PayPal, regardless of the source, and to exactly how much effort (none) is put into tracing those scammers when it has been proven that a scam has occurred.

This topic is closed for new posts.

Other stories you might like