Is this PayPal/SDMB thing legit or phishing?

[Oslo Ostragoth]

I have a PayPal account that, as far as I can recall, has only been used to pay my SDMB subscription. I got this email:

"So we can continue providing you with your account information electronically please provide your consent to our Electronic Communications Delivery Policy. Log in to your PayPal account and follow the steps below.

Hello xxxxxxxxxxx,

PayPal is updating the way we send you your account information. Please agree to our Electronic Communications Delivery Policy today. This ensures that we can continue providing you with your account information electronically, including transaction receipts, account statements, and annual disclosures."

And so on and so forth.

What's going on here?

[silenus]

It a phish. If you check the url on mouseover, it doesn't go to paypal.com, but e.paypal.com.

Totally bogus. Delete it. Paypal will never contact you by email. They only contact you by message when you log in.

[DMC]

Quote:

Originally Posted by silenus

It a phish. If you check the url on mouseover, it doesn't go to paypal.com, but e.paypal.com.

Are you sure that it is e.paypal.com? If so, that's just a subdomain, so I'm not sure how this particular phishing method would work. If it's something like e-paypal.com, epaypal.com, e.paypal.com.something.com etc., then sure.

[DMC]

By the way, I'll agree that that message smells fairly phishy. I'm just confused on how that would work if the domain is actually what silenus stated.

[silenus]

e-something. I checked it and deleted it because as I noted Paypal never contacts anyone by email. Ever.

[DMC]

Yes, if it is e-paypal.com, that's likely someone phishing. e.paypal.com, on the other hand, should be completely legit.

Oslo Ostragoth, if there are links in the email to "login" or "accept", etc., then probably a phishing attempt. If it just directs you to log onto paypal yourself, without any links to "help" you get there, probably legit.

[runner pat]

Legit or not, you won't get in trouble by going to the site on your own(no link clicking) and login as you usually do.

[psychonaut]

Quote:

Originally Posted by silenus

e-something. I checked it and deleted it because as I noted Paypal never contacts anyone by email. Ever.

I don't know where you got this idea; PayPal contacts people by e-mail all the time for various reasons, such as when they've received a payment.

[johnpost]

if it's legit and you need to do something then when you log on to PayPal it will give you a message saying you need to do something.

[paperbackwriter]

Quote:

Originally Posted by silenus

e-something. I checked it and deleted it because as I noted Paypal never contacts anyone by email. Ever.

BS. Paypal is actually asking for permission to do exactly that. If you're paranoid, instead of following any links in the e-mail, just type www.paypal.com into a new browser window and sign on. Lo and behold, you'll get a request to approve electronic document delivery.

Y'know, so Paypal has your permission to contact you by e-mail. But you don't have to take my word for it:

Quote:

Notices to You. We have modified our disclosures about the notices we send to you in Section 1, which we will now provide to you in a separate disclosure called “Electronic Communications Delivery Policy” which can be accessed by clicking on the Legal Agreements link at the bottom of the PayPal website. This policy describes how we communicate with you electronically, provides additional detail about the Communications we provide to you, and sets out the hardware and software you need to receive these Communications.

[BigT]

It's legit. Go to Paypal.com manually, and they'll ask you the same thing.

BTW, e.paypal.com is their email sending server.

[An Gadaí]

Quote:

Originally Posted by silenus

e-something. I checked it and deleted it because as I noted Paypal never contacts anyone by email. Ever.

Yes they do, all the time.

[Shakester]

Yep, I get emails from PayPal too.

What they don't do is provide links in emails, so any email that asks you to click on a link to log in is bogus. But send emails? Of course they do.

[EvilTOJ]

It's possibly a scam. I got this email too, complete with link to click. Only, I didn't get it to the email address I use with PayPal. When I went to paypal.com and logged in manually, I got;

Quote:

Electronic Communications Delivery Policy (E-Sign Disclosure and Consent)
We'd like to continue providing you information about your account electronically such as through email, web pages, and .pdf files.

In order for us to continue sending you information about your account electronically, please read and accept our Electronic Communications Delivery Policy today.

I have read the Electronic Communications Delivery Policy (E-Sign Disclosure and Consent) and agree that PayPal may provide information to me about my PayPal account electronically. I confirm that I can access and print or save emails, web pages and .pdf files that PayPal sends or otherwise makes available to me.

So it could be legit, or it could be phishers knowing paypal sent out an update and they're playing on that.

[Fear Itself]

Quote:

Originally Posted by Shakester

What they don't do is provide links in emails, so any email that asks you to click on a link to log in is bogus. But send emails? Of course they do.

And they always address you by your PayPal user name, not some ambiguous, "Dear PayPal User:"

[silenus]

I sit corrected.

But this one is a phish, because it's to "Paypal user," not whatever my name is on Paypal. And it's sent to my Hotmail account, which isn't the one I use for Paypal. So I was right that it was bogus, just for the wrong reason.

Just like normal.

[pulykamell]

Quote:

Originally Posted by Shakester;14099820
What they [B

don't[/b] do is provide links in emails, so any email that asks you to click on a link to log in is bogus. But send emails? Of course they do.

Not sure what you mean. All my Paypal receipts and shipment notices have hotlinks in them.

[MeanOldLady]

Quote:

Originally Posted by silenus

I sit corrected.

But this one is a phish, because it's to "Paypal user," not whatever my name is on Paypal. And it's sent to my Hotmail account, which isn't the one I use for Paypal. So I was right that it was bogus, just for the wrong reason.

Just like normal.

Yours was a phish, but I got the same e-mail the OP describes with my name.

Quote:

Originally Posted by Shakester

What they don't do is provide links in emails...

Yes they do.

[Uber_the_Goober]

If you're worried - and you have Chrome as your browser - then when you go to the website just look in the address bar. It says (with a green box around it) the name of the company, and shows that it is indeed a secure connection to the website you actually intended to go to.

Another reason I like Chrome.

[ZipperJJ]

Quote:

Originally Posted by echo6160

If you're worried - and you have Chrome as your browser - then when you go to the website just look in the address bar. It says (with a green box around it) the name of the company, and shows that it is indeed a secure connection to the website you actually intended to go to.

Another reason I like Chrome.

Glad you like Chrome but Firefox 3+ does this, as does IE 8+. As long as the site you're on is a secure site.

[Myglaren]

I recently received an email from PayPal - to the correct email account - reminding me that my card was about to lapse and to register a replacement with them.

I ignored it the first couple of times then logged in to my PayPal account to find that although I had logged my new card with them, upon receipt of it, I hadn't activated it.

Although I was at first suspicious it proved to be quite legit.

[Oslo Ostragoth]

So, I logged in to PayPal and did the thing there. Seems legit.

[simster]

Sounds like there are two versions of this email going around - the legit one, and a phishing one that is pretty much a copy of the legit one except for bad links.

As others have said - legit email or not - you will never hurt yourself by typing in the url and going to paypal directly to check it out.

make it a habit of Never clicking on banking/account related links within email -

[psychonaut]

Quote:

Originally Posted by simster

Sounds like there are two versions of this email going around - the legit one, and a phishing one that is pretty much a copy of the legit one except for bad links.

As others have said - legit email or not - you will never hurt yourself by typing in the url and going to paypal directly to check it out.

Assuming you type it correctly, yeah. I'm sure lots of scammers register domains which are typographically inaccurate renditions of "paypal.com".

[Petek]

I received an email message similar to the one in the OP. I forwarded it to spoof@paypal.com and received the following reply:

Quote:

Thanks for forwarding that suspicious-looking email. You're right - it
was a phishing attempt, and we're working on stopping the fraud. By
reporting the problem, you've made a difference!

Identity thieves try to trick you into revealing your password or other
personal information through phishing emails and fake websites. To learn
more about online safety, click "Security Center" on any PayPal webpage.


Every email counts. When you forward suspicious-looking emails to
spoof@paypal.com, you help keep yourself and others safe from identity
theft.

Your account security is very important to us, so we appreciate your
extra effort.

Thanks,

PayPal

However, when I directly accessed paypal.com and logged in, I also was informed of the need to "consent to our Electronic Communications Delivery Policy."

[Spoons]

Quote:

Originally Posted by simster

Sounds like there are two versions of this email going around - the legit one, and a phishing one that is pretty much a copy of the legit one except for bad links.

I received one of the phishing ones today. I knew it was a phishing one because I don't have a PayPal account, and never did. But there were also a few spelling errors (for example, "Dear Costumer") and awkward-sounding, almost-too-formal phrasing ("If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service") that would have sent up red flags regardless.

I forwarded it to spoof@paypal.com, and hopefully, they can deal with it.