Wednesday, February 16, 2005

Trust and Contradiction

I have received an unusual email, which contains either an amazing bit of confidence trickery or a subtle piece of postmodern art.

You're Billing Information!

Dear PayPal Member,

It has come to our attention that your PayPal Billing Information records are out of date. That requires you to update the Billing Information.

Failure to update your records will result in account termination. Please update your records within 24 hours. Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal. Failure to update will result in cancellation of service, Terms of Service (TOS) violations or future billing problems.

You must click the link below and enter your login information on the following page to confirm your Billing Information records.

Click here to activate your account

You can also confirm your Billing Information by logging into your PayPal account at https://www.paypal.com/us/.

Thank you for using PayPal!
The PayPal Team

Protect Your Account Info

Make sure you never provide your password to fraudulent websites.

To safely and securely access the PayPal website or your account, open a new web browser (e.g. Internet Explorer or Netscape) and type in the PayPal URL (https://www.paypal.com/us/) to be sure you are on the real PayPal site.

PayPal will never ask you to enter your password in an email.

For more information on protecting yourself from fraud, please review our Security Tips at https://www.paypal.com/us/securitytips

Protect Your Password

You should never give your PayPal password to anyone, including PayPal employees.

The email was sent to an address that I have not registered with PayPal. In addition to this, the left-hand side contained three strong indicators of a phishing attack:
  1. Hot links to a web site that was not PayPal. (I have removed these links.)
  2. Spelling mistakes
  3. Aggressive threats (respond within 24 hours or else ...)
So what to make of the right-hand side, which appears to be a genuine message from PayPal, containing no hotlinks and effectively advising me to ignore the left-hand side?

Why would a phisher include such anti-phishing advice - except as a clever trick to persuade the reader that the email was not a phishing attack? Or perhaps when people are overloaded with contradictory information, they do irrational things. I'd love to know how many people actually fall for this trick.

The broader implications for trust are fascinating and important. People have always tried to play games to win trust - and have often succeeded. And there is an interesting relationship between trust and consistency.

Update (June 2008)

Robin Wilton had some unsolicited email purporting to be from a company called MoneyBookers. See my comment.