Paypal Said Phishing Email Is From Them

 

Story is most easily explained by the email I sent to my local MP. I was contacted by the MP's office within 15 minutes and advised that Mr Perrett was horrified by the incident and has referred same to Stephen Conroy...
Dear Mr ####
 
In the interest of protecting the financial security of my fellow Australians I feel compelled to bring this matter to your attention.
 
I spoke with Kate from your office today who suggested I email details of my complaint to you.
 
I have found that most people I have spoken to about this incident have a hard time understanding its significance probably because it is quite simply very hard to believe. For that reason I will start with an analogy...What PayPal has done is equivalent to my bank manager telling me it is safe to give my bank card and PIN to a criminal.
 
I received what was very obviously a phishing email that purported to be from PayPal saying that I needed to click a link in that email and update my details such as my bank account number, my credit card number and my personal details.
 
Rather than clicking on the link I visited the PayPal site where they have a web form to submit suspicious emails.
 
I received a reply from PayPal saying that the email was NOT a fake and confirming that PayPal did indeed send the email.
 
The hypertext in the link showed the PayPal domain on a secure server but the actual site being linked to was a non-secure server and rather than being a PayPal domain was simply an IP address.
 
I responded to PayPal asking them to explain how any customer could possibly authenticate an email as valid if it is linking to an IP address that not only has no connection to PayPal but a reverse IP lookup on the IP shows the owner of the address has used a 'privacy protect' filter to hide their details.
 
Rather than providing an explanation to my question they responded by saying the original email was fake...the response that I should have received in the first instance.
 
I rang to speak with PayPal and was advised initially that they have no record of their first response stating the email was genuine...which suggests to me that somebody at PayPal might have tried to delete this email to cover their tracks.
 
I asked to speak to a supervisor who came on the line after I was on hold for 10 minutes and advised that she had been able to recover their original email and advised me that this "might" have been an automated reply.
 
I have not suffered any personal loss as I can recognize a scam email when I see one but my concern is that the vast majority of people, even those who are cautious with online scams, would have gone ahead and entered their details into this fraudulent spoofed site after receiving confirmation directly from PayPal that the email was genuine.
 
Had this incident happened to my father, not only would his entire life savings have been stolen but he would almost certainly have had is identity stolen as well.
 
I have reported this matter to Therese Dupe, Assistant Director of Compliance and Enforcement at the ACCC. Like me, she was dumbfounded by this incident. She has advised that the ACCC will investigate the matter but I will be unlikely to hear back from them as the outcome of the investigation will remain confidential.
 
I find this unacceptable that a company can show what may be criminal negligence towards the financial security of their customers yet retain the privilege of having any investigation into the matter remain confidential.
 
I write to you as my local member to take up this matter not only on my behalf but on the behalf of all Australians and indeed the entire world to ensure that PayPal provides a full and public explanation of how this incredible breach of security occurred and for you to advocate on behalf of the Australian public that PayPal put in place fail safe systems and protocols to ensure an event like this can never happen again.
 
I have a full paper trail of emails and my notes from conversations but I have not included this as the initial scam email will most likely get blocked by government spam filters.
 
Regards
 
Daryl

**NEW** Horror Stories