PayPal just sent me an email (which you can see for yourself):

Dear Tikitu De jager, Christmas is approaching! Still need to find some gifts for your loved ones? We show you how to find unique gifts on eBay. Also, find out how you can send money home with PayPal and stay in touch for free with Skype! Seasons greetings! PayPal The funny thing is, I could have sworn I asked them not to spam me. But…

This PayPal notification was sent to [ my address ] because you chose to receive All Policy Change Notices. Oh. Fair enough. I suppose the policy that’s changed is that “Policy Change Notices” no longer contain notification of changed policies.

I still can’t make up my mind if this is phishing or corporate stupidity.

Case for phishing

  • They misspell (mis-capitalise) my surname (“De jager”) while it shows correctly when I log in to paypal.com.
  • Can anyone really be so soulless as to take “please send me all Policy Change Notices” as an invitation for Christmas spam?!
  • The links in the newsletter go to email1.paypal.nl, which is not www.paypal.com which is where I log in. (Ok, paypal.nl is legit. But a DNS lookup site tells me that subdomain doesn’t exist.)
  • Said links include a session identifier, which would suffice to identify me for the phisher site.

Case against phishing

  • The got the correct name and email address for my PayPal account. That’s not as easy as it sounds, it’s not the name you’re looking at. (It’s not so very difficult either, though, and the email address is an easy guess.)
  • They don’t ask for any information or even that I go somewhere to “confirm” anything. The links are apparently continuations of the articles, or things like “Get Skype”. They all go to that email1.paypal.nl though.
  • And if email1.paypal.nl doesn’t exist, how are they getting any information at all, let alone useful information?!

Result…

I’m confused. Anyone know anything about this? Legit and really bloody irritating, not to mention braindead stupid? Dodgy and diabolically clever? It’s got me puzzled.

Update

The PayPal spoofline says it’s fake. But I’m not sure I believe them — the email is clearly a form letter, and it looks to me like it just ripped out the urls from the email and checked whether they were registered to PayPal. Which they apparently aren’t, but I still can’t get past one question: how does it help a scammer to direct me to a non-existant website? (Hm. How does it help PayPal? Good question. No answer.)

Thank you for bringing this suspicious email to our attention. We can confirm that the email you received was not sent to you by PayPal. The website linked to this email is not a registered URL authorized or used by PayPal. We are currently investigating this incident fully. Please do not enter any personal or financial information into this website.