Account spam from @PayPal?
InternetI’m invoking Betteridge’s Law here, because turns out this email wasn’t as clear cut as I thought it was. Today’s spam comes from someone purporting to be PayPal. I didn’t alter the text or formatting in any way:
Hello, Ruben Schade
For the safety and security of the PayPal network, we are writing to notify you that we need to collect some additional information from you to continue using your PayPal account.
We need you to please update this by20 March 2022 (+60 days),otherwise the "functionality of your PayPal account will be impacted". It should only take a few minutes to complete. To keep using your account and all its features, please:
- "Log in " to"" your PayPal account.
- Click on the notification icon.
- Update your details.
Forgotten your password? Don't worry – you can reset it in just a few simple steps by following the instructions
here
Note the giveaway signs of this being a phishing attack:
Referring to it as the PayPal network
Amateurish paragraphs and weird carriage returns, such as in that last line.
Incorrect or missing spaces, such as by20 March 2022 (+60 days),otherwise
Inconsistent quotation marks, such as "Log in " to""
Redundant use of punctuation, such as "functionality of your PayPal account will be impacted"
Except, as you’ve probably guessed by my tone, this email was legitimate. I logged into my PayPal account directly without clicking any links in the email, and sure enough they needed to verify some of my information.
I won’t mince words here. This is bad!
Basic spelling, grammar, and punctuation mistakes are poor form in any corporate communication, but the stakes are so much higher when it comes to financial services, for reasons I’m sure you appreciate.
Phishing attacks broadly exploit three facts:
People don’t look too closely at their email
People implicitly trust email from a company they do business with
People don’t know how to spot fakes
Our collective efforts to train people to protect themselves are undermined the moment a legitimate outfit sends email like this. I cannot stress how dangerous this precedent is. We worry about malicious email looking legitimate, but what hope does a layperson have if the reverse is also true?
The potential customer impact is just as frustrating at a personal level. I sent this email to spam, but on a hunch checked my PayPal account just in case. Had I not, my account may have eventually been terminated, and my email provider’s spam filters would have been trained to ignore any further communications. Imagine the consequences if I ran a business through a PayPal account, or had large sums of money sitting in it.
Companies like PayPal have a responsibility to the Internet that made their services possible. They can, should, and must do better, or we will continue to lose this fight against scams.
