Major PayPal failure: sending emails following all rules of a “good” phishing email

The email below (in German) is from PayPal. It is not a phishing email or a spam email pointing to some online pharmacy.

I assure you of this. I have verified the DKIM and SPF information in the headers, checked all headers of any trace of alteration and of any trace of foreign IP address or domain.

It is also very correct: it informs me that my credit card behind the PayPal account is about to expire. It asks me to update the credit card by clicking on the yellow button.



At this point, I am without words. I would have never expected to receive something like this from PayPal.

Their suggestions to detect phishing and to report phishing are here:

I quote:

Suspicious emails

Phishing and spoof emails aim to obtain your secure information, passwords, or account numbers. These emails use deceptive means to try and trick you, like forging the sender’s address. Often, they ask for the reader to reply, call a phone number, or click on a weblink to steal personal information. If you receive a suspicious email, FORWARD it to Our security experts can take a look to determine if it’s a fake. If it is, we’ll get the source of the email shut down as quickly as possible. Reporting these emails helps protect yourself and everyone else, too.

There are some hints about identifying scam email below, but it’s often difficult to be sure if something is real or fake since scammers adjust their tactics. So, if you have the slightest doubt, send it to our experts for investigation.

As a good user, I have sent them the entire email to

How should they do things right?

They must not add any kind of link in the email on which the user should click.

They must ask the user to go to their website, login and change the data in the profile.

But nothing more than this.


What now?


I have canceled that account.

I wrote to PayPal and I am waiting for their answer.

If I don’t receive any or I don’t like it, I will consider erasing my main account which I have since 2004.

© Copyright 2015 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check for seeing the consulting services we offer.

Visit for latest security news in English
Besuchen Sie für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

2 Comments on "Major PayPal failure: sending emails following all rules of a “good” phishing email"

  1. The automatic answer from

    Dear Sorin Mustaca,

    Thank you for being a proactive contributor by reporting
    suspicious-looking emails to PayPal’s Abuse Department. Our security
    team is working to identify if the email you forwarded to us is a
    malicious email.

    Paypal Will Always:

    – Address our customers by their first and last name or business name of
    their PayPal account

    Paypal Will Never:

    – Send an email to: “Undisclosed Recipients” or more than one email
    – Ask you to download a form or file to resolve an issue
    – Ask in an email to verify an account using Personal Information such
    as Name, Date of Birth, Driver’s License, or Address
    – Ask in an email to verify an account using Bank Account Information
    such as Bank Name, Routing Number, or Bank Account PIN Number
    – Ask in an email to verify an account using Credit Card Information
    such as Credit Card Number or Type, Expiration Date, ATM PIN Number, or
    CVV2 Security Code
    – Ask for your full credit card number without displaying the type of
    card and the last two digits
    – Ask you for your full bank account number without displaying your bank
    name, type of account (Checking/Savings) and the last two digits
    – Ask you for your security question answers without displaying each
    security question you created
    – Ask you to ship an item, pay a shipping fee, send a Western Union
    Money Transfer, or provide a tracking number before the payment received
    is available in your transaction history


    Any time you receive an email about changes to your PayPal account, the
    safest way to confirm the email’s validity is to log in to your PayPal
    account where any of the activity reported in the email will be
    THE PAYPAL WEBSITE. Instead, enter into your browser to
    log in to your account.

    What is a phishing email?

    You may have received an email falsely claiming to be from PayPal or
    another known entity. This is called “phishing” because the sender is
    “fishing” for your personal data. The goal is to trick you into clicking
    through to a fake or “spoofed” website, or into calling a bogus customer
    service number where they can collect and steal your sensitive personal
    or financial information.

    We will carefully review the content reported to us to certify that the
    content is legitimate. We will contact you if we need any additional
    information for investigating the matter. Please take note to the
    security tips provided above as they may help to answer any questions
    that you may have about the email you are reporting to us.

    Help! I responded to a phishing email!

    If you have responded to a phishing email and provided any personal
    information, or if you think someone has used your account without
    permission, you should immediately change your password and security

    You should also report it to PayPal immediately and we’ll help protect
    you as much as possible.
    1. Open a new browser and type in
    2. Log in to your PayPal account.
    3. Click “Security and Protection” near the top of the page.
    4. Click “Identify a problem.”
    5. Click “I think someone may be using my account without
    6. Click “Unauthorized Account Activity.”

    Thank you for your help making a difference.

    Every email counts. By forwarding a suspicious-looking email to, you have helped keep yourself and others safe from
    identity theft.

    The PayPal Team


    Please do not reply to this email. If you need to follow up, please
    follow the steps above to access your account and utilize the Contact Us
    resources from our site.


  2. I received the reply from PayPal: THEY THINK IT IS A PHISHING SCAM !

    Hello Sorin Mustaca,

    Thanks for forwarding that suspicious-looking email. You’re right – it
    was a phishing attempt, and we’re working on stopping the fraud. By
    reporting the problem, you’ve made a difference!

    Identity thieves try to trick you into revealing your password or other
    personal information through phishing emails and fake websites. To learn
    more about online safety, click “Security Center” on any PayPal webpage.

    Every email counts. When you forward suspicious-looking emails to, you help keep yourself and others safe from identity

    Your account security is very important to us, so we appreciate your
    extra effort.



Comments are closed.

%d bloggers like this: