Rubenerd

Skip to content
By Ruben Schade in s/Singapore/Sydney/. 🌻

Home About Archives Podcast RSS Omake

Account spam from @PayPal?

Thursday 20 January 2022 Internet

I’m invoking Betteridge’s Law here, because turns out this email wasn’t as clear cut as I thought it was. Today’s spam comes from someone purporting to be PayPal. I didn’t alter the text or formatting in any way:

Hello, Ruben Schade

For the safety and security of the PayPal network, we are writing to notify you that we need to collect some additional information from you to continue using your PayPal account.
We need you to please update this by20 March 2022 (+60 days),otherwise the "functionality of your PayPal account will be impacted". It should only take a few minutes to complete. To keep using your account and all its features, please:
- "Log in " to"" your PayPal account.
- Click on the notification icon.
- Update your details.
Forgotten your password? Don't worry – you can reset it in just a few simple steps by following the instructions
here

Note the giveaway signs of this being a phishing attack:

  • Referring to it as the PayPal network

  • Amateurish paragraphs and weird carriage returns, such as in that last line.

  • Incorrect or missing spaces, such as by20 March 2022 (+60 days),otherwise

  • Inconsistent quotation marks, such as "Log in " to""

  • Redundant use of punctuation, such as "functionality of your PayPal account will be impacted"

Except, as you’ve probably guessed by my tone, this email was legitimate. I logged into my PayPal account directly without clicking any links in the email, and sure enough they needed to verify some of my information.

I won’t mince words here. This is bad!

Basic spelling, grammar, and punctuation mistakes are poor form in any corporate communication, but the stakes are so much higher when it comes to financial services, for reasons I’m sure you appreciate.

Phishing attacks broadly exploit three facts:

  1. People don’t look too closely at their email

  2. People implicitly trust email from a company they do business with

  3. People don’t know how to spot fakes

Our collective efforts to train people to protect themselves are undermined the moment a legitimate outfit sends email like this. I cannot stress how dangerous this precedent is. We worry about malicious email looking legitimate, but what hope does a layperson have if the reverse is also true?

The potential customer impact is just as frustrating at a personal level. I sent this email to spam, but on a hunch checked my PayPal account just in case. Had I not, my account may have eventually been terminated, and my email provider’s spam filters would have been trained to ignore any further communications. Imagine the consequences if I ran a business through a PayPal account, or had large sums of money sitting in it.

Companies like PayPal have a responsibility to the Internet that made their services possible. They can, should, and must do better, or we will continue to lose this fight against scams.


Author bio and support

Me!

Ruben Schade is a technical writer and IaaS engineer in Sydney, Australia who refers to himself in the third person in bios. Wait, not BIOS… my brain should be EFI by now.

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or buy some silly merch. Thanks!


Newer post ← My “new” IBM WorkPad 20X Palm PDA!
Older post → Rubenerd Show 421: The flying progress episode