Can PayPal tell the difference between emails it sends out and phishing emails from scammers trying to trick users into providing sensitive information?

Looks like the answer is no.

http://www.flickr.com/photos/hitchster/ / CC BY 2.0

Blogger Randy Abrams works for an online security company. His ESET Threat Blog is filled with information about how to avoid hacking, malware, and other such computer security threats. It’s obviously a subject he knows a lot about.

So when he received a legitimate email from PayPal that contained a link to the PayPal login page, he wrote to them. His point was that people in his industry have been warning email users to be wary of emails containing links to banks and other financial institution’s home pages. The landing pages are often spoofed to look like the real site, and when users log in, the scammers have their personal information. So he wanted PayPal to know that it was a bad idea to include the link in their email, because it could be confusing an already confused population.

PayPal wrote back, in part:

Hello Randy Abrams,

Thanks for forwarding that suspicious-looking email. You’re right – it was a phishing attempt, and we’re working on stopping the fraud. By reporting the problem, you’ve made a difference!

There are only a few explanations for how PayPal decided its own email was phishing.

1. It was an automated response, and Randy could have emailed anything to the address he used and gotten the same response.
2. A harried employee sent the wrong email template.
3. PayPal staff can’t tell their own emails from scams.

I’m betting on #1.

But #3 would be funnier.