I’ve recently got fed up going round and round in circles with PayPal trying to get them to admit that their own emails are not actually phishing scams!
Yes, you read that right. The problem is that PayPal’s own email campaigns encourage users to click on links to domains that look to the suspicious eye like a phishing scam. PayPal’s own spoof detection service identifies these emails as “likely fraudulent” and if you contact PayPal directly, they’ll repeatedly deny all knowledge of the domains in question being their own.
Let’s have a look into this sorry story…
Firstly, here’s the start of a typical example email, sent to me on March 3rd from “PayPal@mail.paypal.co.uk”:
Unlike normal phishing emails, this email addresses me by my full name and is literate. The problem comes if you assess the target domain of the “Log In Now” button. Here’s the tooltip:
Destination address “epl.paypal-communication.com” looks suspiciously like a typical phishing domain. Any security-aware user ought not to click on such a link. I don’t particularly want to be visiting a site that for all I know might be serving up ransomware via an exploit kit!
I had a look online and found discussion at https://www.paypal-community.com/ which included references to this target domain with users asking after it because they were suspicious. Here’s what one user said:
And another:
And a third:
And the response from the PayPal moderator? (Details hidden to save the blushes.)
I decided to dig around a bit. A WHOIS on the domain said it is registered to PayPal (via a company called MarkMonitor who protect brands):
Then I looked at the SSL certificate of the domain:
That is an Extended Validation SSL certificate issued by DigiCert to PayPal.
At this point I was sure it had to be legitimate and so contacted PayPal support and told them the story so far. In my message I included the following:
On the assumption that this is indeed genuine, can I suggest that perhaps you ensure that all emails you send with links in, go only to paypal.com or paypal.co.uk?! Otherwise, you’re making it very difficult for users to tell what is legitimate and what is not.
For my trouble I got a standard automated reply with general educational info on phishing emails and the comment, “If we haven’t answered your question, please reply to this email and our team will answer you as soon as possible”.
If they’d bothered to read my email properly they’d have known I had gone beyond that stage. This sort of automated response irrespective of what you’ve said – especially since you have to reply to it to even get a human response – is the ideal way to frustrate your customers!
I also forwarded the email to their spoof detection service (in my case spoof@paypal.co.uk). Here’s the reply I got:
Unbelievable! And how indecisive is “likely fraudulent” anyway?! I tested the actual link in the email by running Chrome inside Sandboxie for added safety. It redirected to paypal.com which suggests all is well. Replying to the automated support email, I gave them the newer information and the verdict of their spoof service and asked them to look into it. I got the following response. I’ve just shown the start as you’ll get the idea…
Feeling increasingly exasperated, I emailed back and said that either the domain was legitimately theirs, or DigiCert had issued an EV SSL certificate in their name to a third party, “which would be a major security issue and absolutely catastrophic for their business too!”. I encouraged them to escalate it.
The reply asked for me to forward them the email:
I tried to cut a corner as I’d deleted the email by then:
Please can you simply clarify whether a link to https://epl.paypal-communication.com is a valid destination address to have in an email from PayPal. There is every sign that it is (the domain appears to be registered to PayPal!) …
The reponse was, shall we say, “frustrating”:
I emailed straight back:
I have not said I received an email saying there is suspicious activity in my account. You too have now said that the email is not from PayPal. In that case, please can you explain why the link it asks me to log in to is at a domain formally registered to PayPal and with a PayPal SSL certificate on it?
Needless to say, every single message was from a different person – no attempt to take ownership of a problem and run with it.
I eventually got a phonecall and was passed from person to person three times. Everyone sounded quite interested in and intrigued by the story and the technical details. I’m sure one of them said they were basically told to deny any domain that did not end paypal.com or paypal.co.uk but he was clearly struggling to deny the domain I was telling him about! I was told I would hear back. I left the phonecall feeling happier that this would be escalated to someone in the know. A few days later I prodded them for an update and told them I’d had another similar email. I finally got a new reply in my PayPal message centre. It took things to a whole new level of ridiculousness:
That last sentence shows how much I’ve been wasting my time. How can they possibly say a subdomain of paypal.co.uk is not theirs? I first decided to prove that that domain could receive email:
As we will see in a minute, the result was quite instructive. If you also do a SmartWHOIS to find who is responsible for the IP block that the epl.paypal-communication.com domain is on, you get the following:
“Epsilon Data Mangement” owns the IP block and judging by the Mail Exchanger record name, runs the mail server and presumably is the explanation for the “epl.” at the start of the main domain name that set this hunt all off. So, who are Epsilon Data Management? Here’s part of what their website says they do:
This all sounds very like the sort of emails that contain these links!
I’d sent one more email to PayPal which included this rebuttal to their latest claim:
I’ve confirmed that there is a DNS MX Record for domain “mail.paypal.co.uk” which shows it is a legitimate domain that can receive email. Also, since it is a child domain of paypal.co.uk, it MUST by definition belong to the same owners as “paypal.co.uk”! So how can you say it does not belong to PayPal?
I got one more message from PayPal before I gave up in disgust:
After some more hunting around the PayPal site, I found one more thing of interest – on PayPal’s “List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared” page:
Quote: “To execute outbound communciation campaigns including but not limited to email and push notifications.”
The story doesn’t end here. I tried taking it to Twitter and sending Direct Messages to @AskPayPal (PayPal Support). I gave a very brief version of the case and at their request sent a screenshot of one of the emails – with the tooltip link visible. I also sent a screenshot of the SSL certificate. I got a much more positive response:
I provided some more info, including about Epsilon. I got another reply:
And the next reponse, which unfortuantely was from someone else?
I managed not to die of frustration when told to forward it to the spoof service again. But then, there was final bit of acceptance:
And that’s where it ends. …
And this is a company I’m entrusting with access to my money? The left hand doesn’t seem to know what the right hand is doing – in fact, it just denies all knowledge of its existence despite all evidence to the contrary. That coupled with the generally poor support experience leaves me … shall we say … “not overly-enamoured” of PayPal now.
The Twitter chat had closed with the following.
I couldn’t bring myself to click on it…
Update – June 2017
The last couple of emails I’ve received from PayPal have still contained the same domain in the Login links but at least their Spoof service is no longer reporting them as being likely fraudulent. Their current educational information about spotting phishing attacks encourages you to see if they address you by name. I’ve received plenty of phishing emails that know my full name and one piece of spam knew my full postal address too..! Their educational info also lists various things their emails won’t ask you to do or type in. They do also encourage you to login directly via their site but it would be far better if they included no login button in their mass emails at all!
Update – October 2023
I had an email from PayPal today with the subject “Spot email scams with these quick tips”. It included the following amongst its criteria for detecting phishing emails:
“URLs that looks deceptive and inauthentic to PayPal”
Having picked myself up off the floor laughing, I checked the links in the email. They’re now going via click.emails.paypal.com
Not sure how long they’ve been finally using their own domain but I guess late is better than never haha!!!
francoisbeaussier said:
Hi,
I got the same email and was puzzled. I forwarded it to spoof@paypal.com an hour ago.
Did some extra research and came across your post, I feel your pain.
Thanks for the summary 🙂
cantoris said:
Thanks, Francois. I wonder when/if their Spoof Service will stop giving false positives…!
Vito said:
I’ll simply forward any Paypal mail to spoof@paypal.com.
Unbelievable they send mails containing a non-Paypal URL.
Even more unbelievable that they claim their usage of your personal name in the mails is a good indicator for a non-spam mail.
Karen Stephan said:
I had been asking the same question since I received the first of those PayPal e-mails last year. It’s EXTREMELY irritating. These E-mails are asking us to do exactly what PP is telling us all the time NOT to do. At this point, I just toss them all in the trash.
cantoris said:
Thanks Karen. I see their emails now just say to check that the email addresses you by your full name! I’ve actually seen [non-Paypal] malicious spam that even had someone’s home address in…
Anonymous said:
“Access your account statements quickly and easily. Log in to your account and select the monthly statement you’d like to view.” The email looked legit and had a “View Statement” link. I clicked on it not thinking twice honestly. It opened up a new tab and immediately closed the new tab. Thats when I smelled phish but it was to late. I moused over the “View Statement” link and it took me to epl.paypal-communications 😦
Pingback: PayPal says genuine email is a ‘likely’ spoof – Tamebay
Anonymous said:
I landed on this post after I received the same e-mail containting links to paypal-communications.com.
It contained my full name etc, so it seems really legit.
Paypal’s reaction is unbelievable. I immediately closed my paypal account after this.
Anonymous said:
Great read, I just received the same email and couldnt believe they would include a link that wasnt on the paypal main domain. They could even just set up a subdomain redirect…
Pingback: PayPal says genuine email is a 'likely' spoof - Tamebay
Daniel Schaf said:
Wow, I received an e-mail using “https://epl.paypal-communication.com/” as well today.
All links in the e-mail contained a 100 character long string with only one character difference between different links. This made different links like “About”, “Help” or “Contact” all look like they point to the same target. Even worse, the link “www.paypal.de/phishing” did not point to “www.paypal.de/phishing”, but to “https://epl.paypal-communication.com/T/sdf09sf8sd908dfgdfghdg13/dddd9343nkae0354/…” as well!
This is just so wrong in so many ways 😦
Anonymous said:
I’m currently researching clearly malicious phishing e-mails which contain links to….
hxxps://image.paypal-communication.com/paypal_na/2014/20131210_Templates_22725/img_spacer.gif
The e-mails are actually targeting Bank of America customers, and the text of the e-mails don’t mention PayPal at all. The domain is still probably controlled by PayPal, but phishers ARE using it maliciously, which just makes this whole thing that much more convoluted. Ugh.
Michael said:
Well done for the work you put into this. The situation you describe is intolerable. I am sitting here wondering three things:
1. Is Paypal is in contravention of the UK Data Protection Act by issuing my personal information to a third party for marketing purposes? I daresay Paypal will point to their terms of service but that doesn’t cut any ice whatsoever in this jurisdiction, if a practice contravenes the DPA it’s unlawful.
2. How can we publicise this so that the maximum number of people hear about it and understand the real risk here which is that ordinary people are effectively being encouraged to break the good habit of clicking on links in an email which doesn’t even come from the service provider they have trusted?
3. Do I trust Paypal any longer? I’m really not sure about that. I have used them for years and until today I did trust them but I am seriously weighing up this is a bad enough slip on their part to merit me closing my account. I need to think that one through very carefully.
Meanwhile I have logged in to my cPanel and set up a filter for any mail coming from a sender with an address containing epl.paypal-communications. The filter does the following:
(a) forwards the email to spoof@paypal.com
(b) redirects the message to my ISP’s spam address
(c) returns the email with the message “F*** O** (without the asterisks)
Anonymous said:
Brilliant piece of analysis. Excellent work – thank you for your time and insight.
My concern is I get these emails but don’t have any relationship with Paypal (currently or in the past).
The email knows my name and the login points me to epl.paypal-communication.com, but I haven’t clicked it as like you I was worried it was phishing scam.
When going to paypal.co.uk and then trying to sign in with my same email address via the forgotten route (as I did wonder maybe someone had registered me in Paypal), it says “There’s no account associated with this email address. Try another email address or create a new account.”
Are they perhaps encouraging people to visit Paypal and join up? I’m now even less keen to do so if that was the marketing strategy…
Stevko said:
Maybe someone should write to DigiCert so that they revoke epl.paypal-communication.com certificate as PayPal says it is not theirs. It may move things forward.
Michael said:
Good idea. If I knew who to write to and how to word the communication I would do it myself… and the UK Information Commissioner’s Office (https://ico.org.uk/)
cantoris said:
I wonder if they’d still say that even now…?
Michael said:
Maybe we should just congratulate ourselves that we have clocked this shoddy practice by a big organisation, recognise that business ethics are gradually disintegrating,and move on?
[Memo to self: continue paying subscription for own domain name and high quality email hosting to enable rapid unequivocal response to emails from undesirable sources]
nvsoft said:
Very good analysis. Thank you for your time spent on this. Clearly PayPal is playing games and I’m glad you got to the bootm of this. Saves me going thru the same exercise :).
Colin Main said:
I’d like to suggest a policy of registering all such emails as Spam / Junk with your ISP – particularly if you use Google, Outlook or one of the other big providers.
If enough people do it, it will start to hurt Paypal and they might just realise they need to move their working practices into the 21st century.
Incidentally, I hope people adopt this approach for other companies who, in breach of the DPA, add email addresses to Spam lists without the recipient’s consent. (One, who I explicitly refused to give an email address to because I did not want spam *guessed* at my email address and started spamming that!)
Jacob said:
If you want to know if a PayPal message is legit or not, see if it passed DMARC authentication. In Gmail, click the message pull-down, then “Show original”. If the From address is paypal.com, paypal.co.uk or a sub-domain of one of those, and it says DMARC: Pass, the message is a legit message from PayPal. PayPal has a DMARC reject policy for paypal.com and paypal.co.uk, so if you use Gmail, any message with a paypal.com or paypal.co.uk From address that fails DMARC authentication will be blocked or put in the spam folder.
PayPal messages, including the ones sent from partners like Epsilon Data Management, will normally pass DMARC authentication. Though today I got a legit statement notification email from Epsilon that didn’t have a DKIM signature, and failed DMARC authentication.
Predrag said:
What an awesome post to share our pain!
fearless said:
Done the same thing ages ago, forwarded the paypal email to them as I thought it looked dodgy/phising attempt. Just got back the canned response. Now I send those paypal emails to the trash automatically, just to be sure.
HighestExcitement said:
Hey Cantoris. I’ve shared this blog post on reddit, since I’ve experienced similar events.
Here’s a link: https://www.reddit.com/r/netsec/comments/79mmv2/paypals_emails_encourage_dangerous_habits/
cantoris said:
Many thanks! At least PayPal have stopped telling me their own emails are spoofed LOL.
galfodo said:
Hi! I’ve been equally annoyed with this myself. Googled it today and came across this excellent post. I’ll do what Michael does. If enough people report these, perhaps they’ll take it seriously.
.sS.! said:
I have direct contact there, you can reach out to me on twitter.
gmail.com signup said:
Excellent web site. A lot of helpful information here.
I’m sending it to a few buddies ans also sharing in delicious.
And naturally, thank you in your effort!
cantoris said:
Thanks 😀
fabiomalf said:
Thank you, really a in deep digging in the paradox.
Pantai Air manis said:
There’s certainly a lot to know about this topic.
I like all the points you’ve made.
0815 said:
What about the idea to have a rule to forward these emails automatically to spoof@paypal.com?
If everyone does it, it might make more of a point? maybe not.
philipplutz said:
Haha, this really is hillarious, I’ve also received an e-mail from this suspicious epl.paypal-communication.com domain and found your blog-post and enjoyed reading it 😉
If I hadn’t found your in-depth research I probably would have done it myself and wasted a lot of time, so I’d like to thank you very much for saving me precious time!
Hugo said:
Thanks for the research, I was already starting to do the lookups and check the ssl cert (wasting my time). Paypal marketing are showing themselves as being qute incompetent with regards to security best practises.
Gabe said:
Seems the efforts to mark these as illegitimate is gaining traction. I just found PayPal’s ‘Annual Error Resolution Notice’ email that contains epl.paypal-communication.com links already sorted into spam (gmail). Perhaps they will wake up and take notice.
Derek Kerton said:
Nice. Their stupid support contacts can only see the email as one of two things: Fraudulent or not fraudulent.
They are incapable of seeing it for what it is: a fraudulent-looking – but not fraudulent – email from paypal, through one of their partner companies.
Thus, you can achieve nothing but confuse them, as they treat YOU like the idiot, and they flip-flop their analysis between fraud/not-fraud.
I got the message, and wasted 10 minutes on them. Shame on them for this sloppy email, which has been going on for some time, and thanks for trying to fix them.
VR said:
Malwarebytes is now blocking the link, reading it as malicious. As soon as I open any of these Paypal e-mails- the one with the “Error Resolution Notice” and the various “monthly statements”- I get a notification from MB about the blocking. False positive, perhaps, or maybe a result of complaints. It’s so sketchy, but it doesn’t make sense for it to not be Paypal, seeing the Paypal.com domain in the sender’s address. This post made me chuckle a bit, but the frustration and lack of confidence re: Paypal because of the e-mails is so serious and real.
Rob said:
My situation is slightly different. I’ve had a PayPal account for many years under a certain email address. Like most people, I have multiple email addresses I use for different things. I recently have gotten several of these emails from “mail.paypal.com” or “service@paypal.com” with links pointing to “https://epl.paypal-communication.com/” following by a long string of characters. The first email said “Welcome to PayPal. Please confirm your email.” I don’t have this email addresses connected in anyway to my account. So I sent it right off to spoof@paypal.com. Got the typical “we’re looking into it” form letter and a case number. Nothing after that. Then I got another that said “All you need to do now is add a payment method.” Now I’m really noticing. I never confirmed the first email. So I sent with full headers this one to spoof again. Got another form letter and another case number. I wrote long explanations on both. AND, I signed into my REAL account and contacted customer service there explaining in detail giving that other email that I never signed up under. Got the typical form letter and nothing since. Just today I got another really trying to get me to “log into your account” and with a link that has the https://epl.paypal-communication.com/ address again. These emails smell but they are addresses to my real name and to my other real account. I found this blog by searching for more information on this problem. Thanks for all the research you’ve done. I figure if I don’t click the link and give whoever my only active CC#, they can’t bill me for this. We’ll see what happens!!
Michael said:
If you are sure that the strange emails are addressed to just one of your addresses and it’s not the address registered with paypal can you log into your email provider and set up a “bounce” or a “black hole” so that any future emails originating from epl.paypal… never reach you?
And scan your device with something reliable too.
Rob said:
I could just mark it as spam and I’d never see them again. My concern is that someone or something has successfully opened up a PayPal account using one of my long time main email addresses and that my full name is indeed connected to it and that eventually I’ll be charged with things bought through it. With all of the breaches of information the past several years, it’s quite possible that email address has been seen, bought, and now used even though I’ve used a security service to check the dark web and that address was not found there. Doesn’t mean it’s not out there. My issue is the total lack of response and help from PayPal after contacting them. I got one form letter and then nothing since. No updates, no responses at all. That’s not the way to run a major corporation’s customer service!
Am Y (@heyammy) said:
Wow, this is so unbelievable! Thank you for taking the time to document this ridiculous fiasco. I always knew Paypal was a cr*p company and try my best not to use it, but some small merchants accept only Paypal as their payment option. I got an email just only that had a promotional link pointing to the same “epl.paypal-communication.com” URL you mention in this post, which my AVG proceeded to block and warn me about, saying it a “malware threat”. Obviously no one in the company knows what is going on and/or can be bothered to find out. They probably don’t know who to ask anyway I guess.
Gadi said:
Very good read! Thank you for taking the effort on behalf of everyone who is researching about this issue. Starting from today my AVG Web Shield is detecting these sort of emails as phishing. The notification popup from AVG reads:
“We’ve safely aborted connection on epl.paypal-communication.com because it was infected with URL: Phishing”
This notifications are now starting to show up every time I’m opening such an email on my browser. I don’t have the guts to click on any links after being warned about phishing from AVG.
The bottom line, it’s very hard to understand how such a huge American company which should be famous about superb customer service ends up being famous for useless customer service. And this is a company that we are keeping our capital with. What a corrupted corporation they became!!! Shame on you PayPal.
Piotr B. said:
Great article, great reporter’s investigation – we thank you for that!
The story was horrifying, but (as in good movie) – the end was simply overwhelming – I had a great laugh:
“we invite you to provide feedback (…) paypal-customerfeedback.com (…)”
Again – great job – I hope you also feel it wasn’t completely fruitless and you made a difference – if not to PayPal, then to its customers.
Cheers!
cantoris said:
Thanks. I’m glad you enjoyed it. The feedback thing really was the rancid icing on the cake!
areimunde said:
Yesterday I received an email like those mentioned here that was overly suspicious. Nor only I did not click on it (since it breaks all rules that I pass on to my clients as a MSP specialized in security and OpenDNS service provider), but also did some research (I do collaborate with OpenDNS as well as a domain tagging moderator and Phishtank volunteer) when I noticed about the certificate being legitimate. I then ran domain through whois as well and started to notice all the contradictions you mentioned so well.
All this before finding this blog article… heheheh. Well, I can tell you Avast Pro was blocking all tries to navigate to https://epl.paypal-communication.com URLs, not from emails only but web browser as well. Shame on PayPal marketing tools…
To make the point clear: it does not matter whether the URL has a valid certificate and the webpage is legitimate:
A user should not click on the email link in the first place if the destination URL is not the official one (or click on view this email on-line if the URL is not the official one)…
A user should not click on a button on a webpage to login to a service when the URL link is not the official one (even if afterwards he gets redirected to the legitimate one)…
Mainly because most users are not technical enough to be able to confirm the legitimacy of the URL beforehand. Second, because nowadays it is very easy to get infected by a drive-by malformed webpage if the PC is not highly protected (even an up-to-date antivirus is not enough, specially for 0-day infections) and even then you still have a chance of infection unless you use a sandbox.
Evenmore, making users get used to this type of marketing where they tell you to click on a link that it is not the official one, is making those users prone to future Phishing attacks or drive-by infections.
Problem is many companies’ Management nowadays give their Marketing departments overly too much power taking operative decisions which should be discussed with IT departments and specially with security specialists from their IT departments on the basis that commercial efforts are the most important in a company since with no new customers there is no growth which seems to be their only objective in the short term. I’ve been there (as IT Manager opposing some of those decisions).
Hiring non technical low paid agents (as they clearly know nothing about email security or phishing) to handle mail responses to spoof@paypal.com in a company that handles millions of internet sales transactions is a very bad idea, and I’m sure many people are thinking about stopping use of PayPal because of this… this too is a policy followed by many companies nowadays. Curiously, all the importance they supposedly give to their image does not rule here since letting those agents and canned messages be their facade to the public is, IMHO, a big mistake. Anyone with a discerning mind and a bit of technical knowledge gets exasperated with those clearly canned responses and low reasonable explanations.
In an age where most large illegal groups (read mafias as well) are venturing into cyber crime, when Phishing emails are so usual and when many of those Phishing emails are designed and used to infect with malware (trojan horses mostly) that then download Ransomware and infect with it thousands of computers worldwide or download backdoors to control those same PCs as DDOS attacking bots, etc. we must follow strict email policies to protect ourselves and the companies we work for. This is something we cannot afford to avoid.
In my opinion PayPal is breaking all reasonable anti Phishing policies with those emails. I will block all those emails in the companies I work for as an IT MSP, mainly because is against the email policies I try to enforce in those companies to avoid infections with ransomware and other malware.
cantoris said:
Many thanks for this, Areimunde. I don’t blame you for blocking them entirely in the circumstances. Have you seen Microsoft’s latest “feature” in Outlook.com where it uses a link-scanning service to scan email links when you click on them. Unfortunately it means you can’t now hover over a link and see its destination – unless you can pick out the embedded real URL as a parameter along with chunks of hexadecimal codes for some of the characters….! I’ve already told Microsoft what I think of this! 🙂
areimunde said:
I do block domains at the DNS level for the most part, through OpenDNS Enterprise service (now Cisco Umbrella Enterprise). Besides, most my clients use Google Apps for Business (now GSuite) or older/local Outlook versions with Exchange. In the case of exchange, you can block emails through content filters as well. Same with Google Apps though is a bit more difficult to do it company wide.
Thank you for the tip though, since I may need to deal with Outlook.com in the future.
JoWazzoo said:
Heimdal also blocks it. I too just wasted an hour of my life on what is total BS CAUSED by Paypal. Grrrr….
Pingback: Any lawyers want to sue PayPal? ...
Anna said:
Weird thing is I recieved this email this morning to an address I’ve never used on Paypal. I got interested because it had my name and looked literate. Also the links looked genuine compared to same email on my genuine account. I’ve double checked my paypal account and the email isn’t on there.
I never click on these emails so I’m not concerned in that sense. But I’m wondering how on earth payal got hold of my yahoo address. I’ve never used yahoo for ebay or paypal, I’ve used my old ISP domain which has been defunct for about 4 years and since then my own domain. I’ve always had a specific ebay/paypal email address they share, that address is not used for anything else.
Weird.
PS Thanks for all the info and research.
Ronald said:
Thank you so much for sorting this out. Exactly the same experiences: frequent mails, even to an email address that has never been used in relation to Paypal. Have been searching for over a year how to stop the mailflow, but now it’s clear. My suspicion began when I could not find a list of the ‘safe’ email extensions on Paypal’s website.
Alex said:
I received a paypal offer from eps.paypal-communication.com. I’m normally very careful but clicked the activate now link. This took me to paypal where I logged in and couldn’t find any mention of this offer (buy now pay in 14 days). Is my personal information or my card information in danger from this source? I have changed my account password but do I need to cancel the cards and is there malware involved?
Alex said:
Edit previous, should read epl.paypal, not eps.paypal
cantoris said:
I would never click a login link to Paypal or a bank from an email – ever. Always best to type the known hostname manually. Just because the email was “from” the EPL domain, doesn’t mean it actually was genuinely from there, nor that the link you clicked took you to the real PayPal. Your degree of concern is a decision for you. I would certainly be keeping a very close eye on my PayPal and linked card accounts. I would also be making sure as you suggested that my PC was clean of malware – scan it with multiple free scanners such as MalwareBytes and some of the “online” scanners available from the major AV companies.
Paul said:
Thanks for your work on this!
I’ve just been through the pain of interactions with customer care agents claiming these emails are likely fraudulent.
I’ve sent one (“Activate Return Shipping On us”) to the spoof@paypal address but I guess won’t hear anything back. I’ve asked why they sent me this when my marketing preferences state I don’t want this junk.
Cisco Systems SpamCop service analysis shows the promoted website to be part of epsilon.com who do marketing for PayPal
© 2018 Cisco Systems, Inc. All rights reserved.
Parsing input: https://epl.paypal-communication.com
No recent reports, no history available
Host epl.paypal-communication.com (checking ip) = 159.127.187.100
Routing details for 159.127.187.100
[refresh/show] Cached whois for 159.127.187.100 : rich.fu@epsilon.com
Michelle said:
it’s going to get even weirder now… Paypal changed their credit provider this week, so now these emails are also going out with Comenity’s name on them asking users to update their Paypal credit applications.
cantoris said:
Oh great… here we go again!
Hanc said:
Well… *FIVE* messages to PayPal later and an email sent to Epsilon’s team…
Thank you for getting back to us about the marketing emails that you are receiving.
I carefully reviewed your account and I can see here that the partner marketing notification is still ON to your account. I personally apologized for the inconvenience that this has caused you.
I have already opt it out for you. Rest assured that you will no longer received any Marketing email notification from us.
I am glad I was able to resolved your query today.
Thank you for choosing PayPal.
The “partner marketing notification” is NOT a setting I see in my account preferences, so I’m glad THEY have switched it OFF!!!
I also emailed 3 Epsilon contact email addresses I found, plus I tried their (privacy policy advertised) DPOfficer AT epsilon.com address- but I did get an undeliverable bounce for the DPOfficer!!
cantoris said:
LOL the further you dig, the greater the incompetence!
Hanc said:
But MAYBE a result lol
I know many businesses offshore contact centers. It is a good thing in general, but when a consumer asks non-standard questions or keeps pushing, then the script does not cover all eventualities!
I’m glad we SEEM to have got the answer from PayPal.
What will be interesting is the response from Epsilon. As far as I am concerned, the above does not in any way absolve their business from their responsibilities in European, UK and US data protection and privacy law… and I know the ICO, and they know me pretty well 😉
Hennie said:
I asked Paypal about this setting and their response is it does not exist. Most likely the person that replied to Hanc was talking about the setting Notifications-MarketingPreferences-Offers, as that one is about Partner offers.
My guess is you will keep receiving these emails as always.
NC Admin said:
Microsoft does this too, just saying. Pretty freekin’ unbelievable.
I just sent them this:
I don’t have an account under this email address so that is the first red flag. I’ve never received an email from Paypal on this email address before so flag number 2.
I have to gripe about this:
Paypal says:
“We also commission third party domain addresses using the format paypal-xxxx.tld, which attempts to keep PayPal at the front of the hyphen (unlike the first example). But this format isn’t exclusive to PayPal, as anybody can purchase a domain name and add “-paypal.com” to make it seem legitimate.”
Why would PayPal commission third party domains and not stick to format?
In my opinion, that’s a faux pas. PayPal is making it easy for scammers by doing that.
All websites/emails should be “paypal.com,” period. That’s just my advice. Do what you will with it.
No one will ever be sure that these domains/links are yours or not. I couldn’t find a list of all the domains that Paypal owns so kind of ridiculous.
Whois says it’s yours but under some other company’s control or something to that effect.
Don’t feel bad, Microsoft does it too. Two of the biggest companies making a mistake like that. Unbelievable.
Sorry guys. I’m sure I’m preaching to the choir and will probably receive your standard phishing email back.
If this does reach someone who is human, here is some interesting reading on the same.
https://cantoriscomputing.wordpress.com/2017/03/04/paypals-emails-encourage-dangerous-habits/
cantoris said:
Good luck with getting a response! My latest pet hate is Microsoft hiding destination URLs in Outlook behind some spoof-checking service. Makes it much harder to verify the safety of a link by hovering over it and I don’t trust MS’s service to be accurate all the time!
Glenn Winters said:
Just WOW, over 16 months of this problem, and it’s STILL NOT RESOLVED! Unbelievable.
Jan Vlug said:
I reported the email also to PayPal, and they confirmed that the email was not from them. I just provided them a link to this page.
Jacques Cartier said:
Thanks for the great write-up. I received an email like this today, and I was torn as to whether it was legit or not. Looked better than most phishing attempts (grammatically correct), had my full name, etc… but I wasn’t 100% certain. The one thing that was throwing me (other than the non-paypal.com domain) was the header “Confirm your info.” It just looked a bit off style-wise compared to the rest of the email.
After reading through your post, I’m pretty sure the email is legit, but I feel your pain with respect to dealing with nothing but idiots throughout the process of trying to get to the bottom of things.
Personally, I think you should remove the redactions of the names of everyone you spoke with. Maybe these fools with either be fired or at least held to a higher standard of correct information in the future.
I agree that the whole experience fails to instill much confidence in a financial organization.
sigh.
Jacques Cartier said:
Incidentally, I logged into PayPal today, and there was a memo at the top of the page telling me to confirm my info. Details matched those in the email. Long story short: The email was legit in this case, but PayPal still apparently is a case of the left hand not knowing what the right is doing.
Chris said:
Wow… I just came across this page after receiving a notification from PayPal today and thought for sure the message was a spoof. I can’t believe that this has gone on for this long. I worked as Microsoft Exchange admin for 7 years . I can tell you that I have never seen a company like PayPal have practices this bad. If they are utilizing a 3rd party mailer service to send mass emails then that is fine. But I have never seen clickable links that don’t go back to the companies actual primary domain. This is SPAM 101 and leaves customers with no way to conclusively determine that this email is legit. I simply navigated to paypal.com directly and logged in, but what is this… amateur hour?
Warren Hoppe said:
I NEVER post online, but found this truly fascinating, as I was just showing my wife a REAL phishing attempt purportedly from PayPal — when I went to show her a “real” PayPal email, I saw the “epl-paypal-communication.com” in the embedded links. WTF??? What a rabbit hole and this is TWO YEARS LATER. Thanks for your Quixotic epic, incompetence is everywhere… this is like Experian offering to tell you if your identity has been stolen (love those commercials). Don’t get any on you, your mileage may vary.
Anonymous said:
Same experience. Sent the email to spoof@paypal.com and it was rejected by their email server!!!!
The following recipient(s) cannot be reached:
‘spoof@paypal.com’ on 07/05/2019 10:19
554 5.7.1 clamav: virus found: \”Heuristics.Phishing.Email.SpoofedDomain\”
Doesn’t really give you much trust in paypal, does it?