back to article PayPal update email 'violates own anti-phishing advice'

PayPal UK has sent out an updated user agreement email to its customers that manages to violate its own tips on how to avoid phishing scams. The payments process outfit disputes the accusation. The message - sent out on Tuesday - bears one of the hallmarks of classic phishing emails by encouraging users to click on a link to …


This topic is closed for new posts.
  1. Anonymous Coward

    i took 1 look at it, saw the link...

    and deleted it as spam... if i see a link in email, 99.9999999% of the time its a phishing email so its ignored. Bloody idiots are in charge at paypal *again*

    OMFG - Fail, because this is an epic one.

    1. Citizen Kaned


      i didnt trust the subdomain.

      i also found it odd i got 2 emails quite close together, just like phishing emails.

    2. finnbarr

      ditto here too

      Took one look and marked it as spam.

    3. yoinkster

      you + 3

      you and the three idiots above are ...well, idiots.

      the paypal e-mail clearly addresses you by your first and last name. That is an exceptionally good pointer as to whether the e-mail is real or fake. When I saw I was being properly addressed I had no qualms about clicking the link after hovering over it.

      1. Anonymous Coward


        It won't be too long before your bank balance is in Lagos then, if you think that that's good enough evidence for an email to be genuine.

        You're the only idiot here.

        1. Pandy06269

          Genuine e-mails

          @AC 12:38: Sorry but I just burst out laughing when I read your post. You obviously don't see that many spam and phishing scams because if you did, you'd know that most start off with... "Dear" for PayPal scams and "Dear YourEbayUserId" for ebay scams.

          Secondly, if the domain begins with "" it's still genuine unless PayPal have had their DNS hacked, and then even would be suspect. It's definitely a scam if the address is "" because then the parent domain is "" and not ""

          Plus, if PayPal write in an e-mail "to read the agreement please type into your address bar" most half-decent e-mail clients will recognise "" - and hey presto, you have a link in your e-mail even if PayPal didn't put it in. That's then perfect for scammers who could put the link in, but with a completely different URL.

          1. Anonymous Coward


            Another idiot who is far too trusting...

      2. Anonymous Coward


        Oh, and you can't count either.

  2. Maverick

    or even better?

    . . . don't use PayPal at all

    quite a few companies have lost my business because of switching to PP, they probably don't care because their costs are lower (and sales as well obviously, but no bean counter measures that)

    and yes my bank is just as bad at not following their own advice about links <sigh>

  3. Code Monkey

    Me too

    I ignored the link in the email and looked for the changes from their home page.

    Let's be careful out there.

  4. AndrueC Silver badge


    I was concerned at first but I clicked the link after:

    1.Checking the URL it was pointing to.

    2.Verifying the email address they'd used.

    Everyone I have contact with gets their own unique address to use. That way I can blacklist them if I have to and I can track spam. I might not know who actually sent the spam but I know who to blame :)

    1. Anonymous Coward
      Anonymous Coward


      Yup...I do the same, so knew the mail was from them. However if some disgruntled employee at pay pay were to sell their mailing list to phishers then that wouldn't help much.

      Personally I took the oppotunity to manually type in their link, log in, and cancel my account.

  5. Andrew Bolton

    Serial offenders

    Happened at least twice before that I can remember. Hate paypal with a passion, but often have no real alternative.

    1. Pascal Monett Silver badge

      no real alternative ?

      Beg your pardon ? Ever heard of Visa ?

      I have never had - and never will have - a PayPal account, and I manage to buy stuff on the Internet all the time.

      Of course, I can't buy where they only accept PayPal, but if that's the case well tough for them, I take my money elsewhere.

      1. Cazzo Enorme

        Ever heard of Visa ?

        Ever heard of Verified by Visa?

  6. Jamie Kitson

    Not New

    They do this with every single email they send out, in fact I've forwarded a few of them to your news desk pointing out the fact.

  7. Owen Sweeney

    Got it.. my mailbox. I deleted it, thinking it was a scam.

  8. Ross 7

    Bad advice

    "Users are advised to check the URL of any link to make sure it does not direct them to something unexpected, as you know they can do this by hovering their mouse over the link"

    Errmmmm what now?! Last time I checked that wasn't a particularly secure way of checking where a link points (altho I do admit it is a step up from clicking on it to see).

    PayPal screwed up not sticking to their own advice - it makes it sooo much easier for scammers to target them because they can't say "we never put links in our emails - just type it in the addr bar!" any more. It's easy to confuse ppl that are already likely to fall for that kind of scam by padding the hell out of the link URL with a ?randomcrapgoeshere on the end. As long as they see somewhere in there chances are they'll click.

    1. Cazzo Enorme

      Re: Bad advice

      "Last time I checked that wasn't a particularly secure way of checking where a link points"

      I use a mail client that renders HTML email as plain text. The links are then exposed, so you can compare the link text with actual link. Makes spotting phishing emails much easier.

  9. Sampler

    That was a genuine email?

    Oh hum, best go check their site and see what new screws they're adding to the list of requirements now.

    By typing it in manually of course :D

  10. Rowan Collins
    Happy get this right

    I bank with, who get this right - they never send a link in the e-mail, always telling you to go to the home page and log in.

    It's really not rocket science, but I suspect marketing departments of insisting on it looking pretty and being trackable, and to hell with the security...

    Smile also have a "secure messages" system, so you get an e-mail like the following when they need your attention. No scope for phishing here!

    12th July 2010,

    Hello Mr Collins

    We've sent you a secure message. Please log on to read it.



  11. Tim #3

    Me too

    As the link wasn't to a paypal URL I assumed it was fishing.

    So, what changes to the Ts & Cs are they trying to get past us?

  12. bredman

    Very strange concept of security at PayPal

    I got an email from PayPal promising to improve the security of my account

    -Start quote-

    You linked your debit or credit card to your PayPal account on Aug xx, 2010. To make sure the card is yours, we made a small charge to it that you'll need to confirm (and we'll refund the money to your PayPal account when you're done).

    The charge creates a unique 4-digit code on your card statement. If you don't see the charge right away, don't worry - sometimes it takes a few days to show up.

    When that's done, you'll be able to pay safer online with your card through PayPal - without ever exposing your financial information to sellers.

    -End quote-

    I followed the instructions to improve my security, and got the following response

    -Start quote-

    Congratulations! Your withdrawal limit has now been lifted. You can now withdraw unlimited funds from your PayPal account.

    -End quote-

    This means that I am now liable to unlimited losses. What an improvement in security!

    I asked for my limit to be reinstated, and this is the response

    -Start quote-

    I regret to inform you that we are unable to apply a withdrawal limit on your account. Now that you already have a Personal Verified account, your withdrawal limit has been lifted.

    -End quote-

    1. N2

      Just goes to show

      They dont give a fuck

      When I saw that a withdrawal limit was placed because the card wasnt verified, it occurred to me that it was quite good idea to proceed no further.

  13. Hayden Clark Silver badge

    sainsburys bank

    Are terrible.

    All of the mails from them are sent by a marketing outfit (EmailVision). The links and linked images refer to, which has no index page. Clicking any link takes you to the site, so they are just click-counting, old school.

    However - the mails tick all of the boxes to be phishing mails!

  14. Pondule

    Just got it out of my trash bin

    Didn't trust that the URLs were all

    1. Pandy06269


      Anything under is under PayPal's control. If an address like is scamming you then they've had their DNS hacked, and you can't even trust then.

      Worry if the address is something like"

  15. Lexicon

    Closed account was best option.

    Read the email, didn't like the 0 in the server address - verified it was genuine.

    Read the full terms, didn't like the I will have to pay extra% dependant on sellers country.

    Followed the advise on closing my account.

  16. Mage Silver badge


    ALL of their Updates are detected as Spam

    I always go direct to site.

    I'm never much wiser afterwards as PayPal T&C are as clear as Elbonian Mud.

    1. Lexicon


      That's a slur on Elbonian Mud.

  17. Cameron Colley

    I'm another who thought it was a scam.

    But it reminded me to cancel my PayPal account so it's all good.

  18. Anonymous Coward
    Anonymous Coward

    Bankers wankers

    I got an email from Barclaycard with a link to a web promotion. Unsure if it was genuine or fake, I emailed Barclaycard via their website contact page asking if the email was real. Their reply? We can't discuss confidential account information by email, please call us on 0845.....

    I didn't.

  19. mannie_o

    terms and conditions

    It's rare that I can be bothered to read the small print, but I did and para 4.16 (I think) basically said that paypal can't be held responsible for anything they tell you in email, in person or on the phone... I think that's a new record in lack-of-corporate-responsibility, so I cancelled my account.

  20. Richard Porter

    "Hovering their mouse over the link"

    Won't these people ever realise that there is more than one email client and they don't all do the same. If you use a sensible client like Messenger Pro the URL you see is the URL you get. You don't get any html nasties like fetching remote images or executing active content unless you deliberately choose to open an html part in a browser (or follow the link).

  21. Rogerborg

    Wait - it WASN'T spam?

    Who'd have guessed? Well, not me.

    Reminds me of the time that HBOS outsourced their mailshots to a 3rd party bulk mailer with a domain registered to a caravan park. For reals.

  22. Anonymous Coward

    PayPal loves me...

    ... at least according to their pop quiz. Question 4 is "A PayPal email will never contain (a) declarations of love, (b) images, (c) attachments or software".

    Since (c) is the right answer, I have to assume PayPal is planning to send me declarations of love.

  23. Steve 114


    The Wife forwarded hers straight to the Paypal abuse address. She is well trained. No auto-response yet (from Paypal, I mean).

  24. Anonymous Coward

    Paypal Safety Advice

    Paypal's legitimate "safety advice" pages are hosted on a separate domain, Comically some wag has flagged it as a fraud site to amongst others which means Opera at least won't let you see it by default.

  25. Tristan Young

    Just say no

    It's stuff like this which confuses the average non-techie user.

    This is why it's safer just to say no, avoid links contained within email, and thus live a happier life.

    Clicking on web links inside emails is about as beneficial has taking money out of an ATM after midnight - nothing good can come from it, unless you're trying to get wasted, or screwed.

  26. Philip Cohen
    Thumb Down

    eBay/PayPal/Donahoe: Dead Men Walking

    Has no one yet noticed that the eBay Marketplace whale is high and dry on a beach somewhere, has died, and is starting to stink? And then there is PayPal that, some say, has always stunk:

    Draft Media Release re PayPal

    “It is with great sadness that eBay’s Chief Headless Turkey, John Donahoe, announces the probable demise of eBay’s most ugly daughter, PayPal. Donahoe says that PayPal is about to be stricken by particularly virulent strains of Visa+CyberSource and Mastercard Open Platform, and these afflictions are aggravated by PayPal’s insurmountable lack of direct financial institutions support and a great deal of PayPal user dissatisfaction, particularly with respect to PayPal’s grossly unfair, “all responsibility avoiding” user agreement, totally primitive risk management processes, and grossly unprofessional, usually buyer-biased, fraud-facilitating (indeed, non existent) transactions mediation, to name just a few of the problems that PayPal merchants have to endure.

    “Donahoe says that PayPal’s health may therefore be expected to deteriorate and, if ultimately not completely incapacitated, will most likely be eventually confined to its mandatory offering on what little there will, by then, be left of the Donahoe-devastated eBay marketplaces. There is no cure for this condition, and the “eBafia Don” is particularly saddened by the inevitable presumption that it is unlikely that PayPal, will be able to continue to underpin eBay’s sagging bottom line too far into the future.”

    Yes, it’s a send-up but, still, it accurately describes PayPal’s most unprofessional and “clunky” operation. The fact is, had the developers of the original “bankcard” concept ever behaved the way PayPal behaves towards its payees in particular, credit/debit cards may never have gotten off the ground, and we would probably still be paying for all our purchases with bits of paper and little metal discs.

    A detailed examination of and prognosis for PayPal, (including a link to the “PayPal Horror Tour”) at:

    Shill Bidding on eBay: Case Study #4

    This latest study is a measure of eBay’s desperation to replace lost revenue and very effectively demonstrates eBay’s effective aiding and abetting of this criminal shill bidding activity, at

    eBay/PayPal/Donahoe: Dead Men Walking.

  27. Anonymous Coward
    Thumb Up

    Read the email

    If you read the email it also stated that you could type in paypal into your browser's URL address bar. So I read that and typed it in and didn't find anything wrong at all.

This topic is closed for new posts.

Other stories you might like