PayPal, eBay’s internet-based money transfer system, is trying to persuade email providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said yesterday.
So far, no agreements have been reached, but the idea is one that PayPal would like to see from other e-commerce businesses, said Joseph E. Sullivan, PayPal's associate general counsel, at the International E-Crime Congress in London.
An agreement with, for example, Google for its Gmail service could potentially stop spam messages that look legitimate and bypass spam filters.
PayPal is using several technologies to digitally sign its emails now, including DomainKeys, Sullivan said. DomainKeys, a technology developed by Yahoo, enables verification of the sender and integrity of the message that's sent.
PayPal is one of the most highly spoofed brands, with fraudsters sending out spam to lure vulnerable users to look-a-like websites where their log-in details and passwords are collected and abused for profit.
Once a hacker has gained control of a PayPal account, it's possible to send money to other PayPal accounts or purchase goods. PayPal has introduced rules to counter fraud, such as limits on how much money can be transferred. PayPal also compensates users who've had their accounts hijacked, Sullivan said.
But the phishing problem is getting worse than when he started working for eBay five years ago, Sullivan said.
Last week, Sullivan said he got a call from his father, who said he'd fell prey to a phishing scam. While spam-filtering technologies have improved and awareness around phishing is rising, users tend to be the weakest point, falling for sometimes very convincing social engineering tricks.
"I think one lesson we've learned is that education isn't going to stop this," Sullivan said. "Phishing attacks are too good now. Every company that does business on the internet is being targeted by phishing scams now."
The number of phishing sites is also rising. A report released last week by the Anti-Phishing World Group, a consortium of vendors and government agencies, said the number of fraudulent websites in January reached an all-time high of 29,930.