It seems I get at least 2 or 3 faked messages a day from Paypal and eBay which are — ironically for reasons i will soon explain — are the same company. The claims are that my account will be suspended or has been accessed illegally or might have been compromised and that I need to provide my login info again to avoid being deactivated.
It seems these problems persist and aren’t being addressed by eBay or PayPal because:
- eBay/PayPal isn’t communicating to users what legitimate communication should look like
- eBay/PayPal uses HTML to communicate making it easier for impostors to hide fake addresses behind a legitimate looking link.
- eBay/PayPal has in the past (and maybe still does) allowed their official graphics to be included in email making it easier for impostors to fake a legitimate looking email.
What are some fixes:
- only communicate via telephone, postal mail, or by an indirect mechanism such as notifying user to go to a well known, constant address such as www.paypal.com or www.ebay.com, logging in and retrieving the communications.
- actually tell users how they are addressing the problem of faked email communication.
Well, this has only been going on for about a year now (as of march 2005). I suspect nothing will be done about it. Ironically, the three phishing scams I know about: eBay, PayPal, and washington mutual, two of them are attacking the same company and that same company is not doing anything about either of them.
Other people talking about this:
Update for 2005-Jul-20:
It appears that ebay is communicating as of June, 2005 via its ‘my ebay’ portal, but the existence of those messages aren’t communicated via email and they expire, so if you don’t log in for a month, your messages will have disappeared. But it is a good step taken that’s a long time coming.