I regularly receive emails that appear to be legitimate PayPal mailshots (they use my full name), but all links go to epl.paypal-community.com, including ones that explicitly say in the display text, that they go to paypal.com. This usually is a clear warning sign. Yet PayPal, in its advice on how to spot phishing emails suggests to trust it, because my full name is used, or because the email does not directly ask for account details. This is really bad. It does not account for the fact that I could have been specifically targeted by someone that knows my name (or got my name and email address from a different source, not diffiult, really). The sound advice should be never to open any links that (when hovering over them) reveal that they go to a different address than they claim to go to. Even just clicking a link can be used for a Cross Site Request Forgery attack and harm can be done regardless if I then enter my password or not. Either these emails are fake, which would mean somebody regularly sends me "PayPal" mailshots with my real name in it, in which case following the PayPal advice is counter-productive, or these emails are indeed from PayPal and they deliberately advice you to trust them, because it is convenient for them to track responses to emails through paypal-communication.com, rather than using the trusted paypal.com domain. Either way I think this is really bad. I would really expect from the leading provider for internet payment for millions of ordinary users to take the lead in having the highest standards in terms of links used in email campaigns and respective advice given.
... View more