i took 1 look at it, saw the link...
and deleted it as spam... if i see a link in email, 99.9999999% of the time its a phishing email so its ignored. Bloody idiots are in charge at paypal *again*
OMFG - Fail, because this is an epic one.
PayPal UK has sent out an updated user agreement email to its customers that manages to violate its own tips on how to avoid phishing scams. The payments process outfit disputes the accusation. The message - sent out on Tuesday - bears one of the hallmarks of classic phishing emails by encouraging users to click on a link to …
you and the three idiots above are ...well, idiots.
the paypal e-mail clearly addresses you by your first and last name. That is an exceptionally good pointer as to whether the e-mail is real or fake. When I saw I was being properly addressed I had no qualms about clicking the link after hovering over it.
@AC 12:38: Sorry but I just burst out laughing when I read your post. You obviously don't see that many spam and phishing scams because if you did, you'd know that most start off with... "Dear firstname.lastname@example.org" for PayPal scams and "Dear YourEbayUserId" for ebay scams.
Secondly, if the domain begins with "http://something.paypal.co.uk/..." it's still genuine unless PayPal have had their DNS hacked, and then even www.paypal.com would be suspect. It's definitely a scam if the address is "http://something.paypal.co.uk.another.domain.com/..." because then the parent domain is "domain.com" and not "paypal.co.uk."
Plus, if PayPal write in an e-mail "to read the agreement please type www.paypal.co.uk into your address bar" most half-decent e-mail clients will recognise "www.paypal.co.uk" - and hey presto, you have a link in your e-mail even if PayPal didn't put it in. That's then perfect for scammers who could put the link in, but with a completely different URL.
. . . don't use PayPal at all
quite a few companies have lost my business because of switching to PP, they probably don't care because their costs are lower (and sales as well obviously, but no bean counter measures that)
and yes my bank is just as bad at not following their own advice about links <sigh>
I was concerned at first but I clicked the link after:
1.Checking the URL it was pointing to.
2.Verifying the email address they'd used.
Everyone I have contact with gets their own unique address to use. That way I can blacklist them if I have to and I can track spam. I might not know who actually sent the spam but I know who to blame :)
Beg your pardon ? Ever heard of Visa ?
I have never had - and never will have - a PayPal account, and I manage to buy stuff on the Internet all the time.
Of course, I can't buy where they only accept PayPal, but if that's the case well tough for them, I take my money elsewhere.
"Users are advised to check the URL of any link to make sure it does not direct them to something unexpected, as you know they can do this by hovering their mouse over the link"
Errmmmm what now?! Last time I checked that wasn't a particularly secure way of checking where a link points (altho I do admit it is a step up from clicking on it to see).
PayPal screwed up not sticking to their own advice - it makes it sooo much easier for scammers to target them because they can't say "we never put links in our emails - just type it in the addr bar!" any more. It's easy to confuse ppl that are already likely to fall for that kind of scam by padding the hell out of the link URL with a ?randomcrapgoeshere on the end. As long as they see PayPal.com somewhere in there chances are they'll click.
I bank with smile.co.uk, who get this right - they never send a link in the e-mail, always telling you to go to the home page and log in.
It's really not rocket science, but I suspect marketing departments of insisting on it looking pretty and being trackable, and to hell with the security...
Smile also have a "secure messages" system, so you get an e-mail like the following when they need your attention. No scope for phishing here!
12th July 2010,
Hello Mr Collins
We've sent you a secure message. Please log on to read it.
I got an email from PayPal promising to improve the security of my account
You linked your debit or credit card to your PayPal account on Aug xx, 2010. To make sure the card is yours, we made a small charge to it that you'll need to confirm (and we'll refund the money to your PayPal account when you're done).
The charge creates a unique 4-digit code on your card statement. If you don't see the charge right away, don't worry - sometimes it takes a few days to show up.
When that's done, you'll be able to pay safer online with your card through PayPal - without ever exposing your financial information to sellers.
I followed the instructions to improve my security, and got the following response
Congratulations! Your withdrawal limit has now been lifted. You can now withdraw unlimited funds from your PayPal account.
This means that I am now liable to unlimited losses. What an improvement in security!
I asked for my limit to be reinstated, and this is the response
I regret to inform you that we are unable to apply a withdrawal limit on your account. Now that you already have a Personal Verified account, your withdrawal limit has been lifted.
All of the mails from them are sent by a marketing outfit (EmailVision). The links and linked images refer to emv2.com, which has no index page. Clicking any link takes you to the sainsburysbank.co.uk site, so they are just click-counting, old school.
However - the mails tick all of the boxes to be phishing mails!
I got an email from Barclaycard with a link to a web promotion. Unsure if it was genuine or fake, I emailed Barclaycard via their website contact page asking if the email was real. Their reply? We can't discuss confidential account information by email, please call us on 0845.....
It's rare that I can be bothered to read the small print, but I did and para 4.16 (I think) basically said that paypal can't be held responsible for anything they tell you in email, in person or on the phone... I think that's a new record in lack-of-corporate-responsibility, so I cancelled my account.
Won't these people ever realise that there is more than one email client and they don't all do the same. If you use a sensible client like Messenger Pro the URL you see is the URL you get. You don't get any html nasties like fetching remote images or executing active content unless you deliberately choose to open an html part in a browser (or follow the link).
It's stuff like this which confuses the average non-techie user.
This is why it's safer just to say no, avoid links contained within email, and thus live a happier life.
Clicking on web links inside emails is about as beneficial has taking money out of an ATM after midnight - nothing good can come from it, unless you're trying to get wasted, or screwed.
Has no one yet noticed that the eBay Marketplace whale is high and dry on a beach somewhere, has died, and is starting to stink? And then there is PayPal that, some say, has always stunk:
Draft Media Release re PayPal
“It is with great sadness that eBay’s Chief Headless Turkey, John Donahoe, announces the probable demise of eBay’s most ugly daughter, PayPal. Donahoe says that PayPal is about to be stricken by particularly virulent strains of Visa+CyberSource and Mastercard Open Platform, and these afflictions are aggravated by PayPal’s insurmountable lack of direct financial institutions support and a great deal of PayPal user dissatisfaction, particularly with respect to PayPal’s grossly unfair, “all responsibility avoiding” user agreement, totally primitive risk management processes, and grossly unprofessional, usually buyer-biased, fraud-facilitating (indeed, non existent) transactions mediation, to name just a few of the problems that PayPal merchants have to endure.
“Donahoe says that PayPal’s health may therefore be expected to deteriorate and, if ultimately not completely incapacitated, will most likely be eventually confined to its mandatory offering on what little there will, by then, be left of the Donahoe-devastated eBay marketplaces. There is no cure for this condition, and the “eBafia Don” is particularly saddened by the inevitable presumption that it is unlikely that PayPal, will be able to continue to underpin eBay’s sagging bottom line too far into the future.”
Yes, it’s a send-up but, still, it accurately describes PayPal’s most unprofessional and “clunky” operation. The fact is, had the developers of the original “bankcard” concept ever behaved the way PayPal behaves towards its payees in particular, credit/debit cards may never have gotten off the ground, and we would probably still be paying for all our purchases with bits of paper and little metal discs.
A detailed examination of and prognosis for PayPal, (including a link to the “PayPal Horror Tour”) at:
Shill Bidding on eBay: Case Study #4
This latest study is a measure of eBay’s desperation to replace lost revenue and very effectively demonstrates eBay’s effective aiding and abetting of this criminal shill bidding activity, at
eBay/PayPal/Donahoe: Dead Men Walking.