Why Does Legitimate Email from PayPal Instruct Me to Click a Link?

//
As you stated and I’ve preached to my own family, you should never click a link in an email that purports to be from PayPal – never. If there’s something that needs to be checked out, go to the PayPal site yourself by typing paypal.com in your browser’s address bar or clicking on your bookmark – never click on an emailed link to PayPal – got that? And yet my monthly email statement from PayPal includes a link to login! Why is PayPal practicing business in this manner? We both know that they know that they’re not ignorant of the risky behavior fostered.

You are 100% correct. I agree with you – I wish PayPal didn’t do this.

Now, I can postulate a few reasons why PayPal might choose to behave this way … but I still can’t really justify it.

Let me throw out a few of my ideas.

Become a Patron of Ask Leo! and go ad-free!

PayPal and customer service

Some people simply don’t want to type “paypal.com” into an address bar. Instead, they would rather click a link.

For many people, the idea of staying safer by entering an address and not clicking on a link is difficult to understand. It’s just easier to click the link in the email and not have to think about it.

Many of these people come to Ask Leo! and I understand why they feel this way. Computers can be very confusing. When they see a link, they think to themselves: “Why can’t I click on this ink? That’s a to PayPal. It says it’s a link to PayPal. Why wouldn’t I click on that link?”

PayPalOf course, you and I know it’s because not all links that say they are from PayPal actually are from PayPal. And while I can warn people about phishing, spamming, and all other types of malicious activity, it’s still a very difficult concept for many people.

The issue is that PayPal probably deals with this issue on an ongoing basis. My guess is that the customer service costs of dealing with compromised accounts because people click bogus links in email is simply less than the projected cost of handling customer complaints about emails with no links.

Yep. My theory is that it probably all comes down to PayPal’s bottom line.

Links in emails – a bigger issue

Links in emails are a bigger issue than just PayPal.

What we’re trying to teach people is how to treat email and how to look for and be skeptical of suspicious email.

Unfortunately, PayPal is training them to do exactly the opposite. That’s why I agree with you: in my opinion this is very wrong.

The safer solution by far is to send people an email with no links, simply instructing them to “go log in to your PayPal account for some important information”.

It’s a tough scenario. I have a hard time justifying PayPal’s actions, but I understand what might be a bottom-line mentality on their part.

About the links rule

There is one clarification that I want to make to the rule. The rule is not necessarily “never click links in email” or rather “never click  links from PayPal in email.” The rule is:

  • Never click links unless you are 100% certain that they are actually from a trusted source.

The problem here is how the average person is supposed to be 100% certain that the PayPal link is legitimate. That’s why the rule is usually shortened to “Don’t click on any link in email.”

In reality, I personally click PayPal links all the time because I know how to determine when a PayPal email is legitimate and when it’s from a phisher.

In the end, I agree with you 100%. I don’t know why PayPal continues to do this and I wish they didn’t, but ultimately, they are.

21 comments on “Why Does Legitimate Email from PayPal Instruct Me to Click a Link?”

  1. My banks do that too and I’ve written them about it to no avail. I think most financial institutions do that.
    I use LastPass which fills in the password if it is the legitimate site which it has stored. If the password doesn’t come up automatically I would know that something is wrong and proceed to check things out. Other password managers like KeePass and RoboForm should also do the trick.

    • I’m still leery of clicking on links and using LastPass or similar as a “this might not be right” detector. The problem is that if you do land on a malicious site they may be doing more than just trying to get your login credentials. They could be planting malware. So … let’s be careful out there. 🙂

  2. Most people don’t know how to key a web address into the address bar. They only know how to key something into the search engine that’s prominently displayed on their browser’s home page. Often that search engine is itself a hijack. Just sayin.

    • I know plenty of people who wouldn’t know an “address bar” if they were serving free drinks. (Sorry, it’s the best I could come up with on such short notice.) I was continually amazed that they would bring up Google (their home page), type the URL into Google’s search box, and then click the first link shown which was (hopefully) the website they wanted.

      I was finally able to convince them to let me change their home page to their “most favorite” website (or, more recently, have the browser open with their favorite sites in separate tabs), and have them type the URL into the actual address bar when they wanted something else.

  3. Does this imply that we should COPY/PASTE or type any/all of the Links in the “Ask Leo Newletter” and any other site?

    • The links in the Ask Leo! Newsletter and any other email which you are absolutely sure are legit fall under the category which Leo described as

      “- Never click links unless you are 100% certain that they are from who you think they are.”

  4. If you trust the site you have to trust the links. Askleo Newsletter comes via email and it is full of links. I click them all because I trust the site. Same with Kim Komando, Bob Rankin, and Dave Taylor. If you have to go to each of these sites rather than clicking links you might as well unsubscribe from the newsletters and read the web pages. Not me.

    • Actually even if you do elect to manually visit the web site, the newsletters often serve as a great reminder that there’s new content to be seen.

  5. There are two very good reasons for taking the time and effort to make sure you go to PayPal’s website without clicking on a link in an e-mail message.
    1. While the link may look correct it may be to a phishing site. For example the link:
    http:// paypal.com.customerlogon.com.ipuv.com/update..
    is not that of Paypal. The real site is ipuv.com which may automatically redirect you to a site looking identical to Paypal’s site complete with paypal in the address bar but actually a rogue site which will capture your login information and then pass you on to PayPal’s real site.
    2. PayPal does not respect your security. The first time you use a credit or debit card for a purchase they ask for the 3 digit CCV number on the back of the card. Apparently they store this in the data they have for you because the next time you make a purchase they do not need nor ask for the number. As a result the joker who captured your login information can now make purchases using your account. I find that Amazon dot com has the same policy.

    The last I read is that PayPal is not considered to be a bank and as such they are not regulated by the Federal banking rules.

  6. I read my e-mails in plain-text mode. (Yes, there are some people/newsletters that send HTML-only, and I will temporarily switch to HTML for that one e-mail.) Thunderbird will make anything that “looks like” a URL into a clickable link. However, because it’s plain text, there is no way to hide the link’s address, and it’s usually pretty obvious that a phishing link is just that.

    Unfortunately, American Express has been sending out e-mails where the plain-text version looks suspiciously like a phishing attempt — “dear customer” rather than my name, no “card number ending in NNNN”, a balance of “$0”, a due date of “date”, and so on — despite the fact that the HTML portion has all the correct data. I almost reported it as spam the first time I got one, but I happened to check the HTML version.

  7. I have received a number of phishing emails from PayPal and I always check that the URL has
    “https” rather than the normal “http” as I always thought the “S” related to a secure site and was not possible for illegitimate use ?

    • I don’t see any reason why someone who can go to the trouble to set up a phishing website on a server can’t set up a secure server. What’s the difference between http://www.paypal.com.fake.url and https://secure.paypal.com.fake.url?

      Making assumptions is how people get into trouble. Whether you’re in your email or in your browser, ALWAYS read the status bar carefully to find out where the link is really going and ALWAYS watch for . and / They make a huge difference in where the link is going.

      • James,
        Setting up the secure layer costs more money and takes more time and effort. You also have to go through certain documentation to prove that you are a legitimate business. So the bad guys just simply aren’t going to do it.

        • That may be true (that there’s more cost and checks and balances) but in my line of work, I’ve learned that sometimes cost is not a factor when you want to do a big scam. The people that do these things weigh the risks against the rewards and believe the rewards are greater than the risks.

          So I don’t assume anything is safe, unless I know it’s safe.

  8. I also NEVER click on one of those shortened links (e.g. http://bit.ly/abcdefg). I don’t care whether I trust you or not. I don’t know where the link will go, so I won’t click on it.

    Even Leo’s links sometimes don’t tell you where you are going to go, but at least they all point back to his website before you are redirected, so you can have confidence that it’s safe (unless his website’s been hacked into). 🙂

    • Ronnie,
      That’s not a problem. The rule is to not click on links unless you are certain where they come from. We know we can trust Leo.

  9. As if this is the only problem. Paypal is the worst spammer in the world, how many times to you have to unsubscribe and still get their rubbish ads? Infinite. Paypal spam also directs you to shaddy paypal-feedback.com links that makes you think, where are their 10000 warning regarding all links being only secure paypal.com?? They are so dead on this and spamming, that after refusing my disputes they keep bombarding me with “We have got you covered” / “Tell us how we are doing” spam rubbish!! They are miserable.

Leave a reply: