Paypal’s chief security officer, Michael Barrett, has said that despite the huge number of phishing emails sent trying to trick his customers out of their accounts, the company’s losses to phishers are relatively low.
“Financially, phishing is not a terribly significant problem for us … In fact, I suspect that many of the published figures on phishing’s impact are significantly overestimated, probably by an order of magnitude.”
This may be true, but I suspect that the problems of phishing may be more about perception than actual losses for Paypal. Inexperienced users can become worried and insecure if they frequently receive phishing emails, and that ultimately does no good for either Paypal or eBay. I was recently speaking to a friend who I’d consider to be pretty net-savvy: “I’ve closed my eBay account,” he told me, “I kept getting emails saying I had to update stuff and my account had been compromised, I couldn’t tell if they were real or not, and I couldn’t be bothered with it all, so I closed the account for good.” I wonder how often that happens.
Though Paypal may see “ordinary credit card fraud” and trojans as a bigger threat than phishing, they are taking one very important step towards making phishing attempts more obvious, and educating users in how to avoid them:
“As a company, we’re in the process of eliminating all embedded links in our emails, and there’s no reason why a user should ever have to click on those links. It’s a convenience, but it’s not worth the risk.”
And the sooner they implement that, the better.