Feeds

PayPal mistakes own email for phishing attack

'You're right, it does look suspicious'

Beginner's guide to SSL certificates

Banks and financial institutions are fond of lecturing customers about the perils of phishing emails, the bogus messages that attempt to trick marks into handing over their login credentials to fraudulent sites. Yet many undo this good work by sending out emails themselves that invite users to click on a link and log into their account rather than going a safer route and telling users to use bookmarked versions of their site.

The problems of the former approach are neatly illustrated by a blog posting by Randy Abrams, a former Microsoft staffer who is now director of technical education at anti-virus firm Eset. Abrams complained about the inclusion of a link in an email from PayPal as it looked rather too much like a phishing email.

PayPal support staffers responded not by noting that Abrams may have a point, which it would consider, but by treating its own email - which it acknowledged was "suspicious-looking" - as a phishing attack.

"Not even PayPal support can tell the difference between a legitimate PayPal email and a phishing attack," Abrams notes.

PayPal is one of the most phished brands on the internet, a back-handed tribute to the eBay subsidiary's success in the online payment market, so it would do well to listen to Abrams' advice not to include links to login pages in genuine communiques. Many banks make exactly the same security faux pas, as many Reg correspondents over the years will attest, and also need to revise their procedures. ®

Internet Security Threat Report 2014

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.