Dave Taylor has been involved with the online world since 1980 and
is recognized globally as an expert on both technical and business
issues. He has been published over a thousand times, launched four Internet-related
startup companies, has written twenty business and technical books and holds both an MBA and MS Ed.
He's a columnist for the Boulder Daily Camera and
Linux Journal and frequently appears
in other publications both online and in print.
Additionally, Dave maintains four weblogs:
The Business Blog at Intuitive.com,
Ask Dave Taylor,
Dave On Film,
Based in beautiful Boulder, Colorado, Dave is an award-winning speaker, sought after conference and workshop participant and
frequent guest on radio and podcast programs, as well as active member of
his community and busy single father to three children.
Paypal is phishing target #1, but they still email their customers?
Imagine my surprise when one of the many email messages I received from Paypal today turns out to be legitimate! I received the following from "firstname.lastname@example.org":
Pursuant to section 326 of the USA PATRIOT Act, the U.S. Department of the
Treasury and the Securities and Exchange Commission require PayPal Funds to
obtain, verify, and record the following information for each investor in
the PayPal Money Market Fund.
A bit hard to believe on the surface -- and I admit that I viewed the source of the message, convinced it was yet another sneaky phishing scam -- but it's a legitimate message. Which absolutely begs the question...
Why on earth is Paypal sending out email telling me to click on a URL and log into my account? Worse, they're not just asking me to validate my account information but also enter my date of birth and tax identification number (read "social security number") on that page too!
I predict that it'll take about 48 hours for phishers to take this very same email message, spoof the landing page, and not just collect Paypal account information but much more valuable and interesting data too, data that makes it incredibly easy to invade Paypal's customer's financial data records.
I like Paypal, don't misunderstand me. I transact business through their system on a weekly basis and have enjoyed working with the company since before it merged with x.com. But in that entire time I have never seem such a daft move on their part. I mean, come on Paypal, what on earth were you thinking when you approved this email to customers?
Communicating With Customers in a Spammy World
This really makes me think about how spam and related email-based scams, cons and hustles have fundamentally changed how companies interact with their customers. From Wells Fargo to Schwab, Paypal to eBay, if it's a site that requires a login for you to proceed, they can no longer safely send email to their customers. Ever.
And yet, scan your inbox (or your deleted mail archive) and I'll bet that you are still getting email messages from sites like these, sites where it could be embarrassing, or worse, if someone else snuck into your account and played around for a few minutes.
How to deal with this problem? One solution that I'd love is if all of this junk email went away, if setting up and disseminating a phishing message was punishable by severe fines and jail time, and blatant spamming was cause to be permanently banned from the Internet. But that's not going to happen, so the burden therefore must shift to online companies, for them to be cognizant of the risks and thoughtful in the execution of their customer communications strategy.
One simple approach: state in the very first line that "We never embed any URLs in our email. Simply go to our home page and log in." and reiterate that on the initial signup page and each time the customer logs in to the site.
Or, in an ironically Luddite solution, make sure that you collect physical mailing addresses for customers and then mail out postcards or similar when there's critical information to be collected or an important reason for them to log in to the site. Nothing online, nothing to be scammed.
I'm sure that there are plenty of other ways that companies can increase the credibility of their customer communications, and can, if necessary, send out email to customers in a way that instills confidence rather than triggering scam alarms. What would you suggest if you were counsel to Paypal?
Posted by Dave Taylor at February 20, 2005 11:54 PM
Before you leave a comment, a tip: If you're interested in blogging, you should sign up for my Blogsmart News so you can stay up to date
on the latest insider tips and ideas for your Internet business and marketing
efforts. Sign up right now and you'll get a free copy
of my "Insider's Guide to Blogging" ebook too!