One Good Turn Deserves Better

Opinion: Reporting phishing e-mails to vendors like PayPal can get complicated.

eWEEK was recently contacted by a reader who, by trying to do a good turn for PayPal, an eBay Inc. company, ended up spending several minutes of his time trying to figure out how to report a phishing e-mail fraud.

To the reader, the task of reporting the problem took far too long and was much too complicated.

This is just one more example of the frustration of e-mail phishing messages, and one that isnt likely to change much in the near future.

/zimages/5/28571.gifA leak of e-mail addresses from PayPal gives rise to phishing worries. Click here to read more.

PayPal was triply injured by the phishers: first, when they fraudulently took PayPals name and masqueraded as a legitimate recipient—likely succeeding at times; second, when PayPal likely incurred insurance costs when the phishers succeeded; and third, by churning up some unearned ill-will on the part of a good Samaritan who felt unnecessarily burdened by PayPals fraud-reporting system.

Aside from all the weaknesses in the e-mail protocol and the Internet—weaknesses that allow phishers to happily go on their expeditions fairly unmolested—the question raised by our reader was, "Why make it so hard to report the problem to the legitimate company?"

To find the answer, I re-created the problem case myself.

I get about 20 fraudulent PayPal messages per day in my inbox at work. I purposely dont use any anti-spam tools aside from the corporate solution provided by my company, Ziff Davis Media, because I like to see what spam du jour is being served.

After opening one of these fake PayPal messages, I went to the PayPal site and followed the directions for reporting a fake e-mail message.

It turned out that the answer to the question raised by our reader was, "Its not so hard at all." In a couple of minutes, I was done and I was on my way.

The difference between my experience and the readers well-documented interaction with PayPal—a full page e-mail describing his efforts to report the problem—revealed a weakness that I think PayPal could correct.

Whereas I followed the on-screen directions at for reporting a problem, the reader sent a note to an e-mail address other than, which is the correct address to use to report fake mail messages.

/zimages/5/28571.gifMicrosoft backports its IE 7 phishing filter to IE 6. Read more here.

Instead, the reader sent a note to fraud at paypal dot com (because this is an incorrect URL, I dont want to spell it out), which is not the right place, but is an old-school way of reporting fake e-mail to companies. The reader got a very polite e-mail back saying that this wasnt the right e-mail address and providing him with detailed instructions.

It turned out the instructions were very good, but were designed for PayPal customers who had sent money to a fraudster. These instructions sent our Good Samaritan on a bit of a wild goose chase.

This is where PayPal could improve its fake e-mail reporting process. Instead of providing step-by-step directions in response to a query sent to fraud at paypal dot com, it likely would be better to simply send a message saying, "Go to our Web site, click on Report a Problem, and make the appropriate report."

Even though PayPal is the injured party in this phishing scam, getting over the bad rap requires uncommonly savvy customer service. PayPal could have turned our Good Samaritan into a walking advertisement for superior customer service. In many cases it probably does, although numbers about fraud reports are not released by the company.

eWEEK talked with PayPal about this users experience and got the companys point of view. Basically, with 86 million accounts worldwide and 1,000 people between PayPal and eBay working on trust and safety, PayPal tries to err on the side of providing as much information as possible to customers who may have been ripped off.

Be that as it may, there seems to be room for improvement, at least from the point of view of one good person who wanted to help and felt trod on instead.

eWEEK Labs Technical Director Cameron Sturdevant can be reached at

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.