I received an email from PayPal last week, notifying me of a payment reversal by the buyer’s bank. I wouldn’t normally quote such things in full in public, but I don’t think I’m betraying any confidential information here because the email is strangely lacking in any sort of information at all:
We have placed a temporary hold on the funds until our inquiry is complete.
We are contacting you to learn more about this transaction.
To help in our investigation, please reply with the following information within seven calendar days:
#. Details about the item you sold
#. The buyer’s name and address
#. Whether or not the item has been sent. (If you have not yet sent the
item, please do not send it.)
#. A phone number where you can be reached for more information
#. Any email correspondence you have had with the buyer
If you have already sent the item, please also provide:
#. Name of the delivery service used
#. Date of posting
#. Tracking number
For transactions of $250.00 USD or more, please let us know whether you
would be able to provide a proof-of-receipt in the form of a signature
from the buyer.
I was really not sure whether this was a real email or not. So like a good eBayer, I forwarded to [email protected]. Then I signed in to my PayPal account, and sure enough there was a reversed transaction. Was this a real PayPal email, or just a spooky coincidence? I erred on the side of protecting my PayPal account, and replied to the email with the information requested.
This morning, I had two emails back from PayPal: one from customer support thanking me for the information I’d supplied, and the other from spoof@, thanking me for forwarding the spoof email and confirming it wasn’t genuine.
I can understand that PayPal might not want to send out confidential financial information in emails, but the above email is completely inadequate. How many sellers are going to see it lacking any kind of credibilty, assume it’s a spoof and delete it, only to have PayPal return the payment to the sender a week later because the seller hasn’t complied with the information request. At the very least, this should say “please sign into your PayPal account and supply us with the information requested through our website”, rather than using email for investigations.
As for [email protected], it’s long been my suspicion that they tell us that everything is a spoof, just to be on the safe side. If genuine emails can and are being flagged as phishing, then really what’s the point of having spoof@ at all?
In the meantime, any sellers receiving such an email should sign into their PayPal account to check whether a payment really has been reversed before replying to *or* deleting the email.