Simple, clear instructions will benefit all phish finders.
eWEEK was recently contacted by a reader who, by trying to do a good turn for PayPal (an eBay company), ended up spending several minutes of his time trying to figure out how to report a phishing e-mail message. To the reader, the task of reporting the problem took far too long and was much too complicated.
This is just one more example of the frustration caused by phishing e-mail messages, and one that isnt likely to change much in the near future.
PayPal was injured by the scam in three ways. First, the phishers fraudulently took PayPals name and masqueraded as a legitimate recipientand likely succeeded in fooling at least a few unsuspecting users. The second cut was that PayPal incurred insurance costs when the phishers succeeded. And finally, the company churned up unearned ill will on the part of a good Samaritan who felt unnecessarily burdened by PayPals fraud-reporting system.
Aside from all the weaknesses in the protocol of e-mail usage and the Internet itselfweaknesses that allow phishers to happily go on their expeditions fairly unmolestedthe question raised by our reader was, "Why make it so hard to report the problem to the legitimate company?"
To find the answer, I re-created the problem myself.
I get about 20 fraudulent PayPal messages per day in my in-box at work. I purposely dont use any anti-spam toolsaside from the corporate solution provided by our parent company, Ziff Davis Mediabecause I like to see what spam du jour is being served. After opening one of the fake PayPal messages, I went to the PayPal site and followed the directions for reporting a fake e-mail message.
It turned out that the answer to the question raised by our reader was, "Its not so hard at all." In a couple of minutes, I was done and on my way again.
That said, however, the difference between my experience and the readers well-documented interaction with PayPal (he sent a full-page e-mail describing his efforts to report the problem) revealed a weakness that I think PayPal could correct.
I followed the on-screen directions at www.paypal.com for reporting a problem. The reader, on the other hand, sent a note to an e-mail address other than firstname.lastname@example.org
, which is the correct address to report fake mail messages. The reader used an old-school way of addressing fake e-mail to companies. He got a very polite e-mail back saying that this wasnt the right e-mail address and providing him with detailed instructions.
It turned out the instructions were very good, as long as the sender was a PayPal customer who had actually sent money to a fraudster. These same instructions sent our reader on a bit of a wild-goose chase, which is where PayPal could improve its processes for users reporting fraud. Instead of providing step-by-step directions in response to a query sent to the wrong e-mail address, it would be better to simply send a message saying, "Go to our Web site, click on Report a Problem and make the appropriate report."
Although PayPal is the injured party in this phishing scam, getting over a bad rap requires uncommonly savvy customer service. PayPal could have turned our reader into a walking advertisement for superior customer service. In many cases, it probably does, although the company does not release statistics about reported phishing attempts.
I talked with a PayPal representative about this users experience and got the companys point of view: Basically, with 86 million accounts worldwide and 1,000 people between PayPal and eBay working on trust and safety, this company tries to err on the side of providing as much information as possible to customers who may have been ripped off.
Be that as it may, there seems to be room for improvement, at least from the point of view of one person who wanted to help and felt trod upon instead.
Labs Technical Director Cameron Sturdevant can be reached at email@example.com.