Same subject different angle. I am amazed that when I go to vendors websites and go through the usual to and fro between paypal pages and the vendors pages that nothing of the following kind happens.. 1. Automatic logout 2. A message to say "you are still logged in". I always visit www.paypal.com after a transation on a third party website and log myself out - some people might be surprised to find that as a result on a third party website they remain logged in to paypal, then perhaps if they are in a public place they go get a coffee.
... View more
Hi As an ex software developer with a keen interest in security I am rarely tempted by bogus emails. I did however note a scarily good email which included my paypal email address, my full name, it only asked me to click on a link to view new legal conditions on my account so it did not ask for sensitive information, It even had the cheek to include a section "how do I know this is not a spoof" and repeated the advice of given by the paypal employee above - ie we will use your proper name rather than "Dear Pay Pal User". Clearly the scammers are reading this forum ( after all they can get a paypal account just like you or me ) and they are taking on board the information given here. As an IT guy I knew just to scroll my mouse over the links to see in my browser what domain they led to and decided against trusting a domain which starts. I also inspected the source code of the email. epi.paypal-communications.com It seems to me that PayPal need to make an official statement as to what domain names it will include in any legit email. For instance you could say.... Our emails will always refer you back to a subpage of our domain, all website addresses will begin www.paypal.com/ We will never use a subdomain ie www.epl.paypal.com We will never use domains such as paypal-communications.com Etc etc. I would re-itterate this email did not ask me to supply information it simply wanted me to click on a link to read something. This would have doubtless confirmed to the scammers that they had hit a genuine paypal account holder and that their follow up scams might work. I dont feel you have gone far enough here Siobhan and I think my relatives who are not IT professionals could have been duped. I am myself still unsure whether its genuine or a very good scam but I will not be following those links. To quote Siobhan: : "When using PayPal, always ensure that the URL address listed at the top of the browser displays as https://www.paypal.com. The 's' in ‘https’ means the website is secure." My Reaction: By time the person has folowed the link in order to see whether or not they see the security HTTPS it means that they have already gone TOO FAR because they have just told the scammer that they indeed do have a PAYPAL account and that the name and email was correct for the account. I will gladly construct a webpage to show you how I could use website domain registration information, guess that might be the same email address that the person uses for their paypal account, send them an email with a click on this link and encode their email into the URL so when they click on the link my code will log the event telling me that in all probability this person who's name I know from the website registration is actually a paypal account holder and they are using the same email address for their paypal account. Its not enough to hack because I do not know their password but its a **bleep** good start. Most email readers will show what page youo will be transported to IF you choose to click on the link ( the text is not reliable as the displayed address does not have to be the same as the address you will be transported to ). The time for checking is before people click.. I would like to see a clear statement from paypal about what domains you use in emails for links. Hopefully you would never use a domain like www.paypal-communications.com If this is correct then say so - tell us what domains you would ever use in an email. Its no good telling people about the full name stuff - I own a website and its registered to me, any fool can get my full name if they know my website - just go to www.whois.com. As a 20 year IT veteran it troubles me to see such naivety from Paypal staff. The only real secure way to deal with this is to never provide any kind of link in an email always communicate by insisting that the user logs into www.paypal.com we should then be asked to read all messages there. I have never clicked on any links in emails from paypal other than during my initial account opening ( just the confirm email ) I always tap www.paypal.com letter by letter into my browser - unless you tell me when I log in of any legal or other news I need to know then you will not be able to successfully communicate with me. The most you should ever send in an email is a message saying please log in to your paypal account ( but not with a link) to read updated legal terms or whatever it is you want to say, the advice should say Your should say "Do not click on any links in this email we always ask you to navigate yourself to www.paypal.com" If you must include links in emails then always from the domain www.paypal.com Please get this straight and then as a corporation make the required statement to all users about what links and domains may or may not be included in emails from you. I dearly hope that www.paypal-communications is not a domain name that you genuinely own or that you woudl ever include in any email sent to users. I repeat again its too late by the time the person has gone to a website page because if it is bogus they have just told the scammer that they got the details correct. Just think of unsubscribe emails - they encode your email address and details in the URL - its so easy to tell who it is who just clicked on the link if you gave it to them. I repeat it is easy to get a long list of genuine emails and names, just focus on people who own websites. Please get security experts in to deal with information and policy and then make a definitive statement about paypals domains - tell us which domains you will use in email links so we can make an informed decision before we even click. Sorry but I am not impressed, I feel that paypal knows that the solution is to state publically We will never include any links in any of our emails - always navigate to www.paypal.com yourself either by typing (safest) or browser bookmarks ( not as safe - but then again if someone has hacked your bookmarks they have probably hacked your browser). But I am cynical that the reasons for not asking users to do this are to do with not wanting to lose customers who are too impatient to type www.paypal.com Interested to hear your reactions....
... View more