As somebody who gets more than his fair share of spam (see this post for the gory details), I see several attempts a day to phish my Paypal account details. So a few days ago I was a little disconcerted to see something that met every criteria for being legitimate, telling me that somebody had requested a password change on my Paypal account. There were no fake and hidden URLs, the email came from an IP that belonged to Paypal, it used my full name, etc.
And it said that if this request didn’t come from me, I should go to the Paypal page to get the phone number for their fraud contact people. So I did, using my own login bookmark rather than the URL they gave me, in spite of me not being able to see anything wrong with the URL. In a fit of extra paranoia, I even looked at the security certificate on the site.
After making me step through a bunch of voice mail options relating to phishing rather that password change, I finally got to talk to somebody, who said that a glitch in their system sent out a bunch of these and I have nothing to worry about. Ok, fine, why didn’t you save us all some time and effort and put information about that system glitch on your web site?
Today, I got an email asking me to fill out a survey based on my call to Paypal customer support. The only problem is it came from a domain other than Paypal. I’m sure there are quite legitimate reasons why Paypal/eBay would decide not to run their own survey, but in this day and age there is no way in hell I’m going to give *any* sort of information about my interactions with Paypal to a third party. (Ok, this blog post is giving information about my interactions with Paypal to lots of third parties, but that’s different – this is “push”, not “pull”.) Paypal, if you want to survey me about your customer support, you’re going to have to do it from your own email servers and your own web servers.