PayPal persists in sending phishing-friendly emails

PayPal is still sending out customer emails with embedded logon links. When will they get a clue?

In the past week I've received three email messages from PayPal, and I'm ready to chew nails.

The messages included multiple hot links, with persuasive marketing drivel urging me to click on the links and log on to my account. In fact, in all respects they were just like high-quality phishing emails with the single exception that the links go to the and websites.

I've been chiding PayPal for years about their phishing-lookalike emails. They've taught an entire generation of online banking customers that it's OK to log on to financially sensitive accounts using links sent in email messages. Apparently the extra income PayPal derives from hotlinked email messages trumps the need to educate consumers. As a result, you and your users are at risk from following the precise behavior PayPal endorses -- indeed, encourages -- in its own spam, er, marketing email campaigns.

You know how financial phishing attacks work: A phisher sends out tons of messages with links to a bogus site. The messages appear to come from a well-known financial institution (such as PayPal). They appear to link to a well-known financial institution (such as, well, you get the idea). When the phishee clicks on the link and thinks he's logging in to the financial site, in fact he's logging in to the bogus site. The bogus site gleefully collects the logon ID and password, and it's all downhill from there.

The ploy works. One of the reasons why it works so well? Financial institutions such as PayPal keep inundating their customers with messages that look and act precisely like phishing messages. As Ted Samson noted last week in Tech Watch, spam's hit a five-year low, down 70 percent over the past year, but phishing's in its heyday. Thank you, PayPal.

Adding injury to insult, PayPal is now sending out email messages containing embedded hot links with a "special offer" to shop at a drugstore site. The offer's only good, according to the message, if you "receive an email from PayPal inviting you to participate in the Offer." There's no indication anywhere in the message that you can take advantage of the offer by directly logging in to either PayPal or the drugstore site. There's no encouragement to type or into your browser's address bar. But there's plenty of verbiage and compelling graphics to encouraging a click-through logon: The recipient gets another Pavlovian prodding to engage in highly dubious, risky behavior. Thank you again, PayPal.

PayPal's been barraged with complaints about these phish-alike messages. The official response: "Thank you for bringing this email to our attention. We can confirm that PayPal sent this email. We apologize for any confusion this may have caused. To keep members informed of our products and services, PayPal occasionally sends emails to account holders. General Notification emails and Payment Notification emails are activated by default."

Actually, PayPal's email marketing team is starting to look more and more like spammers in expensive suits -- to borrow Cringely's phrase -- and their scummy techniques are rapidly becoming indistinguishable from phishing.

The phishers are getting better. I recently received a phishing message that appeared to come from a respected financial institution, where every single link in the message was valid -- the links all went to the institution's Web page -- except for the one highlighted link near the top of the message. Before the site was identified as malicious, clicking on that link would take you to a page that was pixel-for-pixel identical to the financial organization's login page. Ka-ching.

PayPal isn't the only offender, of course. Some banks still send hot-linked messages, and I know of at least one brokerage firm that puts its advertising cart before the security horse. But PayPal's a lightning rod, to me. It should know better. With $27.4 billion transferred electronically in the first quarter of this year and a 38 percent increase in corporate business over last year, PayPal's an old hand at the online financial game, both for individuals and for companies. PayPal and its parent eBay spend millions -- probably tens of millions -- every year cleaning up the havoc phishers create. Instead of taking a stand with its own advertising and leading the industry by example, PayPal's going for the quick buck.

At what point is PayPal legally liable for the actions it ingrains in its customers?

This story, "PayPal persists in sending phishing-friendly emails," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform