In the January 28 issue of AuctionBytes Newflash, I wrote about PayPal Payment Wizard for Outlook ("eBay's PayPal Service Makes It Easy to Ask for Money via Email" http://www.auctionbytes.com/cab/abn/y04/m01/i27/s02). The tool allows sellers to include a PayPal button in emails and is free to use.
Several readers wrote with concerns about security. "So now, instead of getting phony emails looking like they came from PayPal, we can expect phony emails, complete with an html link to who knows what bogus look-alike site? I don't generally mind clicking a button from a secured web page.... but from an email?"
The concern comes because for years, scammers have been employing a tactic known as "phishing," or sending hoax emails that appear to come from PayPal, but in reality are attempts to steal the recipient's identity. Ironically, in the same issue I had included a link to a site that explained a Microsoft Explorer vulnerability that hoax-emailers may try to exploit (http://netsquirrel.com/spoof): now scammers can mask the address bar of Internet Explorer.
I asked PayPal spokesperson Amanda Pires whether users should be concerned about using the PayPal Payment Wizard tool, considering all the hoax emails sent by identity thieves. Pires explained that scammers cannot spoof https:// URLs, and users should always look for the "s" in the https:// part of the URL when using PayPal. She added, "PayPal recommends when using our site to always open up a new browser and type in https://www.paypal.com to log onto PayPal."
Interestingly, the Washington Post reported on February 2 that Microsoft's latest patch fixes the vulnerability in Explorer that allowed scammers to hide the identity of a site in the address bar (http://www.washingtonpost.com/wp-dyn/articles/A6331-2004Feb2.html).
So what's the bottom line? PayPal has gotten good about not sending out emails with links to sign-in pages in order to get people out of the habit of clicking on links in email. But now, it is enabling an army of its users to do just. Even sophisticated users who are aware of hoaxes find it difficult to keep up with scammers. It seems the best advice remains, never click on a link in an email to log-in to a site. Always go to your browser and type the name of the site in manually.
You may quote up to 50 words of any article on the condition that you attribute the article to
EcommerceBytes.com and either link to the original article or to www.EcommerceBytes.com. All other use is prohibited.
Have a question about buying or selling online? Want to get marketing or technical advice? AuctionBytes Discussion Forums are the place to come to get answers to your questions and get advice! Great tips - a refreshing change!
