Can PayPal tell the difference between emails it sends out and phishing emails from scammers trying to trick users into providing sensitive information?

Looks like the answer is no.

http://www.flickr.com/photos/hitchster/ / CC BY 2.0

Blogger Randy Abrams works for an online security company. His ESET Threat Blog is filled with information about how to avoid hacking, malware, and other such computer security threats. It’s obviously a subject he knows a lot about.

So when he received a legitimate email from PayPal that contained a link to the PayPal login page, he wrote to them. His point was that people in his industry have been warning email users to be wary of emails containing links to banks and other financial institution’s home pages. The landing pages are often spoofed to look like the real site, and when users log in, the scammers have their personal information. So he wanted PayPal to know that it was a bad idea to include the link in their email, because it could be confusing an already confused population.

PayPal wrote back, in part:

Hello Randy Abrams,

Thanks for forwarding that suspicious-looking email. You’re right – it was a phishing attempt, and we’re working on stopping the fraud. By reporting the problem, you’ve made a difference!

There are only a few explanations for how PayPal decided its own email was phishing.

1. It was an automated response, and Randy could have emailed anything to the address he used and gotten the same response.
2. A harried employee sent the wrong email template.
3. PayPal staff can’t tell their own emails from scams.

I’m betting on #1.

But #3 would be funnier.

I have an email address that I never use. It’s on a few Web pages, but I’ve never used it to create any accounts or as a contact address for anything at any time. In fact, I pretty much only check it these days to see what entertaining spam might appear.

This arrived in my inbox yesterday:

Below is the result of your feedback form.  It was submitted by
(Account.Update.@msnn.com) on Wednesday, December 9, 2009 at 09:59:45
-----------------------------------------------------------------------
: We Here at MSN, are sorry to inform you that we are having problem's
with the billing information on your account.(XBOX Live, MSN Hotmail, Verizon,)
We would appreciate it if you would go to our website and fill out the
proper information that we  need to keep you as an
MSN  member.

Please Update your account information by visiting our updates web site
below.

<a href="http://members.lycos.co.uk/verizoncellphone/msnlive"> verizon updates</a>

Steve.
Updates Center
Account Team.
.550268889550268889

Seemed like a run of the mill phishing  email, complete with weird punctuation,  random use of uppercase letters, and a  ‘close but no cigar’ From address  — Account.Update@msnn.com. Anyone with a half a clue would see that extra N and know it was fake, right?

The failed attempt to embed the link in the body of the email is pretty funny too — I mean, even if somebody didn’t catch on that this was bogus before they saw that, they’d know that Verizon would not use a lycos.co.uk domain, right? Right?

Of course, I went to the site. Here’s what it looks like. Note the misspellings, and the sheer gall of these people to ask for two credit card numbers, a state ID (driver’s license?) number, social security number, mother’s maiden name, bank account numbers, email address and password…

It saddens me that somebody somewhere has probably lost a lot of money because of this.

Update: I reported this site to Lycos Tripod yesterday, and when I checked it today they had already taken it down.