I came across a blog by ESET's director of technical education Randy Abrams earlier today, where he claimed that PayPal had confirmed that its own email is phishing.

It began with him receiving an email that appeared to be a phishing message and contained links to the official site. He told them that ‘it was a bad idea to include a link in it because it looks just like a phishing email'.

The response thanked him for ‘forwarding that suspicious-looking email' and said ‘You're right – it was a phishing attempt and we're working on stopping the fraud. By reporting the problem, you've made a difference!'

Ok so if you read between the lines, you will see that PayPal have issued a standard response to anyone who sends a suspicious email to Randy, but the fact that this was issued as a reply is rather humorous. However Abrams does raise a valid point that ‘legitimate businesses should never include links to log on pages, or most places'.

While it is encouraging that PayPal does encourage messages to be sent in, perhaps it would be best to read the contributions first so security types do not get the last laugh?