This morning, I tweeted about an email I received from PayPal. 140 characters proved a little short to make my point :)
This is what the email said (Dutch):
Uw creditcard nadert de vervaldatum
Beste Eelke Blok,
Hartelijk dank voor het gebruik maken van PayPal. We willen graag zorg dragen voor een optimale dienstverlening. PayPal wilt u daarom op de hoogte stellen van het feit dat uw creditcard de vervaldatum nadert.
Om van uw PayPal-rekening gebruik te kunnen blijven maken, adviseren wij u om uw creditcardgegevens bij te werken.
Druk op onderstaande knop 'Ga naar PayPal.nl' en log in op uw PayPal-rekening. Ga vervolgens naar het tabblad Profiel en kies 'Kaart toevoegen of verwijderen'.
Ga naar PayPal.nl
Tip: u kunt nu ook probleemloos een bankrekening toevoegen aan uw PayPal-rekening.
Met vriendelijke groet,
In short, it says that my credit card is about to expire (which is true) and asks me to follow a link and update my credit card info. In my tweet, I said this reeks of Phishing.
Now, don't get me wrong, I don't think this actually is a phishing email. The links are actually from genuine PayPal domains.
I do, however, find it pretty irresponsible of PayPal to send around these emails. Basically, everyone who actually understands about Phishing is trying to tell everyone else to never follow any links in an email that is asking you to provide your credit card details, log into your home banking site, or provide any other personal data. And here comes PayPal, acting like all this doesn't actually exist, happily inviting users to click their link.
PayPal, please stop sending emails like this and actually take the opportunity to explain to users that they should go to PayPal manually, and why.
Update 8/9/2010: It might be coincidence, but today I received another email, in English this time, which did not include a link as part of the instructions to update the credit card information (yes, I know, still hadn't done it, but I've only received the new card last week). Instead, the mail told me to go to PayPal and what links to click. Much better!
<blockquote>PayPal, please stop sending emails like this and actually take the opportunity to explain to users that they should go to PayPal manually, and why.</blockquote>
But they <em>did</em> explain:
<blockquote>Om van uw PayPal-rekening gebruik te kunnen blijven maken, adviseren wij u om uw creditcardgegevens bij te werken.
[...] log in op uw PayPal-rekening. Ga vervolgens naar het tabblad Profiel en kies ‘Kaart toevoegen of verwijderen’.</blockquote>
I personally don't think it reeks of phishing at all. I think PayPal also wants to prevent people from getting frustrated because "suddenly, their account stopped working", not realizing they need to manually update their credit card details. I don't think they have much of a choice.
And because it clearly links to an official PayPal domain, there's really no need to worry. People that don't look at the domain before using such a link are pretty easy to attack anyway, so that's not really a reason for PayPal to not send these kind of e-mails.
I don't have a problem with the email in itself and I am happy they reminded me I should update my credit card details. The point is, they ask you to <em>follow a link</em> that's in the email, while part of many anti-phishing strategies is to explain to users they shouldn't do that. Yes, these users should also be explained they should double check the domain when they are on a website where they provide their details, but being suspicious of links in emails is, in my opinion, a healthy first line of defence.
I initially also thought it was phishing. Usually there is a typo in those e-mails and I scan for those. There actually is one in this e-mail:
"PayPal wilt u daarom op de hoogte"
(there is a t too many)
Therefore I would say it does reek like phishing.