Intuitive Japanese Calligraphic Ideogram Intuitive Systems: Leadership for the 21st Century: online strategies and communications

The Business Blog at Intuitive.com

Dave Taylor
Dave Taylor has been involved with the online world since 1980 and is recognized globally as an expert on both technical and business issues. He has been published over a thousand times, launched four Internet-related startup companies, has written twenty business and technical books and holds both an MBA and MS Ed. He's a columnist for the Boulder Daily Camera and Linux Journal and frequently appears in other publications both online and in print. Additionally, Dave maintains four weblogs: The Business Blog at Intuitive.com, Ask Dave Taylor, Dave On Film, and GoFatherhood. Based in beautiful Boulder, Colorado, Dave is an award-winning speaker, sought after conference and workshop participant and frequent guest on radio and podcast programs, as well as active member of his community and busy single father to three children.

Paypal is phishing target #1, but they still email their customers?

Imagine my surprise when one of the many email messages I received from Paypal today turns out to be legitimate! I received the following from "service@paypal.com":

Pursuant to section 326 of the USA PATRIOT Act, the U.S. Department of the Treasury and the Securities and Exchange Commission require PayPal Funds to obtain, verify, and record the following information for each investor in the PayPal Money Market Fund.

A bit hard to believe on the surface -- and I admit that I viewed the source of the message, convinced it was yet another sneaky phishing scam -- but it's a legitimate message. Which absolutely begs the question...

Why on earth is Paypal sending out email telling me to click on a URL and log into my account? Worse, they're not just asking me to validate my account information but also enter my date of birth and tax identification number (read "social security number") on that page too!

I predict that it'll take about 48 hours for phishers to take this very same email message, spoof the landing page, and not just collect Paypal account information but much more valuable and interesting data too, data that makes it incredibly easy to invade Paypal's customer's financial data records.

I like Paypal, don't misunderstand me. I transact business through their system on a weekly basis and have enjoyed working with the company since before it merged with x.com. But in that entire time I have never seem such a daft move on their part. I mean, come on Paypal, what on earth were you thinking when you approved this email to customers?

Communicating With Customers in a Spammy World

This really makes me think about how spam and related email-based scams, cons and hustles have fundamentally changed how companies interact with their customers. From Wells Fargo to Schwab, Paypal to eBay, if it's a site that requires a login for you to proceed, they can no longer safely send email to their customers. Ever.

And yet, scan your inbox (or your deleted mail archive) and I'll bet that you are still getting email messages from sites like these, sites where it could be embarrassing, or worse, if someone else snuck into your account and played around for a few minutes.

How to deal with this problem? One solution that I'd love is if all of this junk email went away, if setting up and disseminating a phishing message was punishable by severe fines and jail time, and blatant spamming was cause to be permanently banned from the Internet. But that's not going to happen, so the burden therefore must shift to online companies, for them to be cognizant of the risks and thoughtful in the execution of their customer communications strategy.

One simple approach: state in the very first line that "We never embed any URLs in our email. Simply go to our home page and log in." and reiterate that on the initial signup page and each time the customer logs in to the site.

Or, in an ironically Luddite solution, make sure that you collect physical mailing addresses for customers and then mail out postcards or similar when there's critical information to be collected or an important reason for them to log in to the site. Nothing online, nothing to be scammed.

I'm sure that there are plenty of other ways that companies can increase the credibility of their customer communications, and can, if necessary, send out email to customers in a way that instills confidence rather than triggering scam alarms. What would you suggest if you were counsel to Paypal?

Posted by Dave Taylor at February 20, 2005 11:54 PM

Comments

I'd have immediately trashed it without reading or checking it out. Whenever I see *any* email from a financial firm asking me to verify anything, I delete it. If I think there's a remote chance it may be legit, I'll go to the site and log on outside of the email link (much like you mentioned).

Very stupid move on Paypal's part...

Posted by: Duffbert on February 21, 2005 8:18 AM

I recommend that no one ever do any shopping, banking, investing, or any other sensitive transaction online.

Besides phishing for funds transfers, there is also identity theft.

Never give any bank, hospital, insurance company, real estate firm, investment fund, or other financial firm your email address. That way, you automatically know any email from them is false.

I say PayPal should sent certified mail or similar, to notify customers to visit their web site. But is info from you to the web site sufficiently encrypted?

Do you use encrypted email signatures?

I'm getting a lot of phishing spam, with subject lines like "We need your updated info (acct# 7253887659)" or "RE: Your Code #4J989WQ" or "Pre-Approved Application #VBH2924-454R" etc.

There are typos and bad grammar in subject lines also.

I delete without opening them.

I hear there is a new phishing scam, where people are getting emails supposedly from the FBI telling them they visited some illegal web sites, or they illegally visited some web sites with proper authorization, and they must go to an "FBI web site" to provide info and learn what fines they must pay.

To scare people and get them to provide sensitive information.

And I've gotten lots of phish emails "seemingly from" PayPal, eBay, Amazon.com, and Washington Mutual, when it's crazy, because I have no accounts at any of these services.

Posted by: steven streight aka vaspers the grate on February 24, 2005 1:06 PM

I've been a PayPal member for years, and I have never received that odd "USA PATRIOT ACT" email. Are you certain it was legit? Maybe you were tricked into believing it was a genuine PayPal email. Remember, that PayPal will always address you by your real name in the greeting line ("Dear Jane Smith", rather than just say "Dear PayPal Customer." And they are quite aware of the problem of clicking on links, so they don't ask you to click on a URL link...they advise you to copy and paste it into your browser. Sounds like a scam email to me.

Posted by: Eileen on July 1, 2005 12:45 AM
Insider's Guide to Blogging
Before you leave a comment, a tip: If you're interested in blogging, you should sign up for my Blogsmart News so you can stay up to date on the latest insider tips and ideas for your Internet business and marketing efforts. Sign up right now and you'll get a free copy of my "Insider's Guide to Blogging" ebook too!
 
Post a comment




Because I value your thoughtful opinions, I encourage you to add a comment to this discussion. Don't be offended if I edit your comments for clarity or to keep out questionable matters, however, and I may even delete off-topic comments.
spacer
spacer
strategic management consulting @ intuitive systems
spacer
management consulting and communications leadership
spacer
communicate: writing
spacer
engage, learn: teaching
spacer
listen, think: speaking
spacer
visualize:photography
spacer
insight: The Blog life business weblog
spacer
contact dave taylor
spacer
spacer


Search Google
Intuitive.com
Subscription Options
XML
Add to My Yahoo!
Elsewhere in my Blogosphere
Ask Dave Taylor!
Quickest way to back up my Wordpress blog?
Review: Running with Friends
Roundup of Cool iPhone 5 Cases
How do I update my Wordpress plugins?
How can I identify a Facebook photograph?
Dave On Film
Review: Star Trek Into Darkness
Review: The Great Gatsby
Review: Iron Man 3
Review: Pain & Gain
Review: Oblivion
Parenting Blog
Teens, Soda Consumption and Marketing
Cool Charity: Cooking with the Troops
Checkpoints and Boundaries
Social Networks for Children? Not so much...
How Does TV Affect Your Kids?
Latest Entries at
The Business Blog
Vincent Wright's Guide for Dealing with Tough Situations
Eminent Domain and The Revitalization of Neighborhoods
Website optimization for mobile devices
How to Work a Tradeshow Booth at CES
How iPhone GPS tagging revealed John McAfee's hideout
Sex: A Surprising Factor that Affects Productivity
The Greatest Leaps in Technology
Recommend an affiliate or Internet marketing training program?
Twitter is down! Now what?
The Philosophy of Social Media: Give, don't Take
The New Reality for Journalists: Continuing Education
Interview with a rare languages translator: David Leoney
Kickstarter and Interactive eBooks, An Interview with Donny Claxton
How to moderate a great panel discussion
Chevy, Ford, 2012 and Blunt Superbowl Adverts
HP markets to stereotypes? Ugh.
Tip: There's an Art to Formatting a Press Release
What's the future of laptop PCs versus tablets?
Data security and the CLEAR airport security card
Biometrics and my application for the CLEAR card
Top Tips for Coping With Fear of Public Speaking
Join me for a Facebook & Social Media Marketing workshop
Smart: Visa's new Online Shopping Card
Social media really does matter to SEO
Notifications on Google Plus are broken
Hey Facebook, just let people deactivate their accounts...
Nice job with the mobile search updates, Google!
Contracts after the company goes under?
How not to email someone a press release
Understanding the Legal Structure of Business
Email for business? Get a real domain!
Skirting the edge of startups
An Overview of eDiscovery in Litigation
Your iPhone is tracking your every move...
Another reason why Amazon.com's the online retailer to beat
The risky business of April Fools Day
Letter from Reid Hoffman: I'm LinkedIn Member #11,147
Running the Numbers on the Best Buy "Buy Back" Program
Writing Copy that Targets Affluent Boomers
Has LinkedIn Become a Time Drain?
Watch my talk on Work/Life Balance
Best Buy Mobile: Another win for Best Buy
How to Implement a National / Internet Sales Tax
Brilliant ad campaign from Electronic Arts
The Future of Cars is Gadget-based, not Mechanical
Hotel Internet per-laptop? You're obsolete!
Too late to negotiate a raise with my new job?
Best place to host an academic blog?
How I upgraded my iPhone and made $100
The Cost of Marc Andreessen's $100mil investment
..
Blogdex | Blogarama | BlogPhiles | BlogStreet | BlogShares | << Colorado Blogs >> | Search4Blogs

RDF XML GeoURL Add to My Yahoo!
Dad Blog - Dave's Film Blog - ADT Video Productions - Online Tech Support

cash for payments Ms. Allison B. Spinner Top quality banner stands, great prices Business Cards Research Legal Advice
© 2012 by Dave Taylor and Intuitive Systems, LLC. All Rights Reserved.

Valid CSS!