You are 100% correct. I agree with you — I wish PayPal didn’t do this.
I can guess why PayPal might choose to behave this way, but I can’t justify it.
Let me throw out a few ideas.
Become a Patron of Ask Leo! and go ad-free!
PayPal and customer service
It’s difficult for many people to understand that you are safer manually typing an internet address than you are clicking on a link in an email. It’s easier to click the link in the email and just not think about it.
I understand that this distinction, though important, can be very confusing. “That’s a link to PayPal. It says it’s a link to PayPal. Why wouldn’t I click on that link to PayPal?”
You and I know not all links that say they are from PayPal actually are from PayPal. Click on that link and you could end up somewhere else entirely — perhaps a scammer’s site that looks like PayPal but is not.
And while you and I warn people about phishing, spamming, and all other types of malicious activity, it’s still a very difficult concept to sell.
My belief is that PayPal deals with this issue every day.
But here’s why I think that they continue to operate this way: my guess is that the costs of dealing with compromised accounts is less than the projected cost of handling complaints about emails with no links.
Yep. It probably all comes down to PayPal’s bottom line.
PayPal teaches bad behavior
What we try to teach people is how to look for and be skeptical of suspicious email.
Unfortunately, PayPal is training them to do exactly the opposite. They teach that the “right” thing to do is to click links in email messages that look like they came from PayPal.
In my opinion, this is very wrong.
The safer solution by far is to send people an email with no links and instruct them to “log in to your PayPal account for some important information.” This is what my online brokerage does, for example.
About that “clicking on links in email” rule
There is one clarification I want to make to the rule. The rule is not necessarily “never click links in email” or even “never click links from PayPal in email.” The rule is this:
Never click links unless you are 100% certain that they are from a trusted source.1
The problem here is, it’s not clear how the average person is supposed to be 100% certain that, for example, a link to PayPal is legitimate. That’s why the rule is usually shortened to “Don’t click on links in email.”
In the end, I agree with you 100%. I don’t know why PayPal continues to do this, and I wish they didn’t. Our job is to continue to preach safety and skepticism, and practice it ourselves.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,
Footnotes & References
1: This same rule applies to attachments: Never open attachments unless you are 100% certain that they are from a trusted source.