Thursday, November 10, 2005

PSA to phishers

I have recently begun receiving a steady stream of notices from "eBay," "PayPal" (with whom I don't even have an account), and so on notifying me that my accounts have been compromised and demanding that I click their link or have my account cut off.

Some of these notices are done better than others, although they have certain elements in common, such as hyperlinks not lining up with the given address and an attempt at the sort of small print you might expect to find on an official email. Some of the emails leave a bit to be desired, however. To that end, I offer a few suggestions based on things that tipped me off:


  • Exclamation points are not generally accepted in business communications. "Security Center Advisory!" isn't convincing.


  • Putting an "ID" number on the communication is commendable... unless the ID is only three digits long. A company the size of eBay is going to run out of numbers if it follows that convention.


  • Using proper English syntax is helpful. "Make sure you never provide your password to fraudulent persons" doesn't work. Persons aren't fraudulent, just their actions. Unless they aren't persons. But I don't know many hamsters who know html, so I think that rules that out.


  • You aren't "try[ing] to verify [my] identity." You are resolving suspected unauthorized logins. You don't care whether I am who I say I am, you are worried about the guy who tried to get into my account. It would have been pointless to email me if you were trying to verify my identity; by sending the email, you indicate that you already believe me to be the proper account holder.


  • Ditto spelling. Writing "you leave us no choise but to temporaly suspend your account" should be reworked before sending it out to the world (not to mention that temporary and temporal are only confused by weak minds).

  • Companies need customers. Successful companies (such as the ones you are masquerading as) don't threaten them. "If you choose to ignore our request, you leave us no choise but to temporaly suspend your account" is more aggressive than any company would write. Additionally, the amount of independent action suggested to the customer ("If you choose...") is usually only seen in letters from collection agencies.


So in conclusion, here's to incompetence doing its part to keep my online information secure.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)