Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why Does Legitimate Email from PayPal Instruct Me to Click a Link?

Question: As you’ve stated and I’ve preached to my own family, you should never click a link in an email that purports to be from PayPal – never. If there’s something that needs to be checked out, go to the PayPal site yourself by typing paypal.com in your browser’s address bar or clicking on your bookmark – never click on an emailed link to PayPal – got that? And yet my monthly email statement from PayPal includes a link to log in! Why is PayPal practicing business in this manner? We both know that they know that they’re not ignorant of the risky behavior fostered.

You are 100% correct. I agree with you — I wish PayPal didn’t do this.

I can guess why PayPal might choose to behave this way, but I can’t justify it.

Let me throw out a few ideas.

Become a Patron of Ask Leo! and go ad-free!

PayPal and customer service

It’s difficult for many people to understand that you are safer manually typing an internet address than you are clicking on a link in an email. It’s easier to click the link in the email and just not think about it.

I understand that this distinction, though important, can be very confusing. “That’s a link to PayPal. It says it’s a link to PayPal. Why wouldn’t I click on that link to PayPal?”

PayPalYou and I know not all links that say they are from PayPal actually are from PayPal. Click on that link and you could end up somewhere else entirely — perhaps a scammer’s site that looks like PayPal but is not.

And while you and I warn people about phishing, spamming, and all other types of malicious activity, it’s still a very difficult concept to sell.

My belief is that PayPal deals with this issue every day.

But here’s why I think that they continue to operate this way: my guess is that the costs of dealing with compromised accounts is less than the projected cost of handling complaints about emails with no links.

Yep. It probably all comes down to PayPal’s bottom line.

PayPal teaches bad behavior

What we try to teach people is how to look for and be skeptical of suspicious email.

Unfortunately, PayPal is training them to do exactly the opposite. They teach that the “right” thing to do is to click links in email messages that look like they came from PayPal.

In my opinion, this is very wrong.

The safer solution by far is to send people an email with no links and instruct them to “log in to your PayPal account for some important information.” This is what my online brokerage does, for example.

About that “clicking on links in email” rule

There is one clarification I want to make to the rule. The rule is not necessarily “never click links in email” or even “never click links from PayPal in email.” The rule is this:

Never click links unless you are 100% certain that they are from a trusted source.1

The problem here is, it’s not clear how the average person is supposed to be 100% certain that, for example, a link to PayPal is legitimate. That’s why the rule is usually shortened to “Don’t click on links in email.”

I personally click PayPal links all the time, because I know how to determine when a PayPal email is legitimate and when it’s from a phisher, and when links really go to where I expect them to.

In the end, I agree with you 100%. I don’t know why PayPal continues to do this, and I wish they didn’t. Our job is to continue to preach safety and skepticism, and practice it ourselves.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: This same rule applies to attachments: Never open attachments unless you are 100% certain that they are from a trusted source.

45 comments on “Why Does Legitimate Email from PayPal Instruct Me to Click a Link?”

  1. My banks do that too and I’ve written them about it to no avail. I think most financial institutions do that.
    I use LastPass which fills in the password if it is the legitimate site which it has stored. If the password doesn’t come up automatically I would know that something is wrong and proceed to check things out. Other password managers like KeePass and RoboForm should also do the trick.

    Reply
    • I’m still leery of clicking on links and using LastPass or similar as a “this might not be right” detector. The problem is that if you do land on a malicious site they may be doing more than just trying to get your login credentials. They could be planting malware. So … let’s be careful out there. :-)

      Reply
  2. Most people don’t know how to key a web address into the address bar. They only know how to key something into the search engine that’s prominently displayed on their browser’s home page. Often that search engine is itself a hijack. Just sayin.

    Reply
    • I know plenty of people who wouldn’t know an “address bar” if they were serving free drinks. (Sorry, it’s the best I could come up with on such short notice.) I was continually amazed that they would bring up Google (their home page), type the URL into Google’s search box, and then click the first link shown which was (hopefully) the website they wanted.

      I was finally able to convince them to let me change their home page to their “most favorite” website (or, more recently, have the browser open with their favorite sites in separate tabs), and have them type the URL into the actual address bar when they wanted something else.

      Reply
        • Ken B. wrote:

          “I was continually amazed that they would bring up Google (their home page), type the URL into Google’s search box, and then click the first link shown which was (hopefully) the website they wanted.”

          Yeah, well, if Google made some of their sites/URL’s easier to find, then I, for one, wouldn’t need to do that.

          What is the URL for Google Advanced Image Search, Ken?* Do you know?

          No?

          Neither did I… until I typed “Google Advanced Image Search” into their we search field!

          *(And just so you know, it’s:
          “https://www.google.com/advanced_image_search”.)

          Reply
          • Obviously, if you don’t know the URL for a website googling it is the easiest way to get there. What Ken B and Leo are saying is that for sites you use every day and know the URL, such as hotmail.com, yahoo.com, and facebook.com, it makes more sense to type in the URL directly. I’d go to Google if I wanted to find Google Advanced Image Search. I also find it easier to google if I want to find a free download when sometimes the program developer deliberately makes it difficult to find the free download page.

      • Because I know HTML, I went a step further, wrote an HTML page of my most frequently accessed sites, and made the resulting page of “quicklinks” my homepage. :)

        Reply
  3. Does this imply that we should COPY/PASTE or type any/all of the Links in the “Ask Leo Newletter” and any other site?

    Reply
    • The links in the Ask Leo! Newsletter and any other email which you are absolutely sure are legit fall under the category which Leo described as

      “- Never click links unless you are 100% certain that they are from who you think they are.”

      And copy and pasting from a phishing email can lead you to a fake website.

      Reply
      • You can only be sure that the links within an Ask Leo! Newsletter are legit, if you know, for certain, that the Ask Leo! Newsletter itself, that those links are embedded in, is legit.

        Reply
  4. If you trust the site you have to trust the links. Askleo Newsletter comes via email and it is full of links. I click them all because I trust the site. Same with Kim Komando, Bob Rankin, and Dave Taylor. If you have to go to each of these sites rather than clicking links you might as well unsubscribe from the newsletters and read the web pages. Not me.

    Reply
    • Actually even if you do elect to manually visit the web site, the newsletters often serve as a great reminder that there’s new content to be seen.

      Reply
  5. There are two very good reasons for taking the time and effort to make sure you go to PayPal’s website without clicking on a link in an e-mail message.
    1. While the link may look correct it may be to a phishing site. For example the link:
    http:// paypal.com.customerlogon.com.ipuv.com/update..
    is not that of Paypal. The real site is ipuv.com which may automatically redirect you to a site looking identical to Paypal’s site complete with paypal in the address bar but actually a rogue site which will capture your login information and then pass you on to PayPal’s real site.
    2. PayPal does not respect your security. The first time you use a credit or debit card for a purchase they ask for the 3 digit CCV number on the back of the card. Apparently they store this in the data they have for you because the next time you make a purchase they do not need nor ask for the number. As a result the joker who captured your login information can now make purchases using your account. I find that Amazon dot com has the same policy.

    The last I read is that PayPal is not considered to be a bank and as such they are not regulated by the Federal banking rules.

    Reply
  6. I read my e-mails in plain-text mode. (Yes, there are some people/newsletters that send HTML-only, and I will temporarily switch to HTML for that one e-mail.) Thunderbird will make anything that “looks like” a URL into a clickable link. However, because it’s plain text, there is no way to hide the link’s address, and it’s usually pretty obvious that a phishing link is just that.

    Unfortunately, American Express has been sending out e-mails where the plain-text version looks suspiciously like a phishing attempt — “dear customer” rather than my name, no “card number ending in NNNN”, a balance of “$0”, a due date of “date”, and so on — despite the fact that the HTML portion has all the correct data. I almost reported it as spam the first time I got one, but I happened to check the HTML version.

    Reply
  7. I have received a number of phishing emails from PayPal and I always check that the URL has
    “https” rather than the normal “http” as I always thought the “S” related to a secure site and was not possible for illegitimate use ?

    Reply
    • I don’t see any reason why someone who can go to the trouble to set up a phishing website on a server can’t set up a secure server. What’s the difference between http://www.paypal.com.fake.url and https://secure.paypal.com.fake.url?

      Making assumptions is how people get into trouble. Whether you’re in your email or in your browser, ALWAYS read the status bar carefully to find out where the link is really going and ALWAYS watch for . and / They make a huge difference in where the link is going.

      Reply
      • James,
        Setting up the secure layer costs more money and takes more time and effort. You also have to go through certain documentation to prove that you are a legitimate business. So the bad guys just simply aren’t going to do it.

        Reply
        • That may be true (that there’s more cost and checks and balances) but in my line of work, I’ve learned that sometimes cost is not a factor when you want to do a big scam. The people that do these things weigh the risks against the rewards and believe the rewards are greater than the risks.

          So I don’t assume anything is safe, unless I know it’s safe.

          Reply
  8. I also NEVER click on one of those shortened links (e.g. http://bit.ly/abcdefg). I don’t care whether I trust you or not. I don’t know where the link will go, so I won’t click on it.

    Even Leo’s links sometimes don’t tell you where you are going to go, but at least they all point back to his website before you are redirected, so you can have confidence that it’s safe (unless his website’s been hacked into). :)

    Reply
    • Ronnie,
      That’s not a problem. The rule is to not click on links unless you are certain where they come from. We know we can trust Leo.

      Reply
      • Yes… but can we trust that an E-Mail that looks like it comes from Leo, really does come from Leo, and not (say) from a phisher?

        Reply
  9. As if this is the only problem. Paypal is the worst spammer in the world, how many times to you have to unsubscribe and still get their rubbish ads? Infinite. Paypal spam also directs you to shaddy paypal-feedback.com links that makes you think, where are their 10000 warning regarding all links being only secure paypal.com?? They are so dead on this and spamming, that after refusing my disputes they keep bombarding me with “We have got you covered” / “Tell us how we are doing” spam rubbish!! They are miserable.

    Reply
    • Hi Johnathan, I certainly understand the PayPal rant. However, virtually any and all sites we visit, will from time to time, request feedback. I’ve used PayPal since its inception and never had an issue worth mentioning. When you login to PayPal click the settings gear, upper right, notifications-scroll to marketing preferences and un-check everything, you will then only receive pertinent account notices.

      PayPal is a highly useful and secure means for on-line-purchasing when used responsibly along with common sense. Purchases using PayPal credit, over a fixed amount, can be paid over time with no interest. I trust PayPal only to the extent that I trust myself when using it. Think about this for a moment; after almost 20 years using PayPal, I’ve never been charged any fees.

      At the end of the day the only person I trust regarding cyber issues is “me myself and I” and if I screw it up, I need only look in the mirror. Yes, its easy to point fingers, just do it in the mirror.

      Reply
  10. Leo, is it safe to rfight click on the link and then select “open in browser” – I use Kaspersky Total Security and malwarebytes (both paid versions) and believe they do an excellent job of keeping me out of trouble.
    Dave

    Reply
    • It is safe to right click and select Open in Browser, if what is going to open in your browser is safe. The right clicking does not add any extra protection. It just slows you down. Whether you click the link or right click the link and Open in Browser, you still need to hover your mouse over the link so that your browser can tell you where the link is really going. Just because you see secure.paypal.com as the link in the email does not mean that it will go there. Hovering on the link might show you that it is really going to secure.paypal.com.i-am-a-scammer.org

      Reply
    • Right click and open in browser is exactly the same as left clicking the link so it’s just as safe, or unsafe. What’s more important is that you know where the link will take you before you do either. And if you’re not sure, go to the site (like Paypal) without clicking a link, but rather by typing that into your browser or using one of your own bookmarks.

      Reply
    • The safe thing to do is go directly to your browser and type in paypal.com or whichever website the email is purportedly coming from. Any of the other safeguards like hovering over the link are usually safe but you might be missing something.For example, my bank sends me emails with a link. I know absolutely that they are legit but just to stay in the safe practice habit, I never click on those links, I either type in the web address of the bank or click on the bank’s login from LastPass and any notification which came in the email pops up when I log in. Your best protection against phishing emails is never click on a link in an email.

      Reply
  11. I get a link each month from my Back of America MasterCard to a link for my FICO score so a lot of companies do this.

    Reply
      • Of course not. You’re talking to a corporation. A corporation is only considered to be a “person” by the law. In reality, it’s just an “entity.” Anyone who speaks to “entities” probably gets what he deserves, LOL!

        Reply
        • There is a person who receives those emails and they can refer the issue up till it eventually reaches someone who can do something about it. Sot there was a real person somewhere along that line who trashed the suggestion. My guess it’s the person who received the original email.

          Reply
  12. I remember when I first signed up for PayPal about 13 years ago they told me that they would always address any email correspondence with my full name. I have received numerous phishing emails supposedly coming from PayPal and they all said Dear Customer or something to that effect. So as long as the salutation states my first and last name I am confident that the email did originate with PayPal. I still double check the URL, etc though just to be sure.

    Reply
    • That’s a good point but there’s still a small possibility that you might be targeted by someone using your name and address. I still stand by my policy of never clicking a link in an email which asks me to log in to my account.

      Reply
  13. Leo, you wrote:

    Never click links unless you are 100% certain that they are from a trusted source.

    Something you may not notice, Leo, is that that “source” in question is the E-Mail that contains that link. Therefore, what all this really boils down to, is verifying the source of that E-Mail. It becomes much safer to “expect” (and, therefore, to “click”) a link if you know it’s contained within a genuine E-Mail and not a “fake” one sent out by some phisher-king.

    If phishers ever took it into their heads, Leo, to spoof “Ask Leo!” articles (links and all) — both you, AND we would be in very deep trouble indeed!

    Reply
  14. Every genuine PayPal email I receive always begins with the salutation: “Dear Mr ”
    PayPal states that by giving my full registered PayPal name shows that the email is genuine, because phishing emails always begin with the salutation, “Dear PayPal Customer,” “Dear Customer,” or some other generic type of salutation.
    I have never received a phishing email that addresses me by my full registered real name.
    Clicking on links in GENUINE PayPal emails doesn’t worry me at all.

    Reply
    • My comment was somehow “moderated” to exclude a “placeholder” for my full registered PayPal user name, and now the comment makes no sense.
      So to give an example of what I mean, supposing that my full registered PayPal user name was:
      “Mr Donald Aloysius Duck,” a genuine PayPal email would begin with the salutation:
      “Dear Mr Donald Aloysius Duck.”
      I hope this comment doesn’t suffer the fate of my original one.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.