PayPal Leads Fight Against Phishing

Notes from RSA Conference Day 3
PayPal Leads Fight Against Phishing
When Michael Barrett, CISO of PayPal, joined the company two years ago, he asked how senior leaders were fighting the phishing problem.

"Technically, we don't have a phishing problem," he was told.

Yes, scores of PayPal customers were inundated daily with fake emails attempting to lure them to fake websites, where they'd be duped out of their personal information - possibly their very identities.

But this fraud was against PayPal customers - not against PayPal itself. In the scheme of risks that could cause financial loss to the company ... this wasn't a huge concern.

On the cocktail party circuit, however, whenever Barrett would introduce himself and say where he worked, he'd routinely hear, "When are you people going to stop sending me those fake emails?"

Clearly, Barrett knew, PayPal did have a phishing problem.

How PayPal has tackled that problem - and how other businesses might benefit from its strategies - was the topic of Barrett's presentation at the RSA Conference on Thurs.

PayPal has fought phishing on several fronts, including:

Education - Static text online or in emails hasn't proven particularly effective, Barrett says, so now PayPal has produced a short video demonstrating exactly how to avoid being phished. This approach seems to resonate with customers, he says.

Email Blocking - PayPal is working with the major Internet service providers to identify and kill phishing emails before they're delivered. In a recent pilot program with Yahoo, the partners were able to block 50 million phishing emails over a several-month period.

Phishing Filter - This can be downloaded onto a browser, popping up with a 'Are you sure you want to go there?' message when suspected phishing links are clicked. Tests show that this method significantly eats into phishing conversion rates.

PayPal Security Key - A small token-like device that authenticates PayPal transactions. This is available now for $5 from PayPal. Card and text-message versions also are being piloted.

One legal hurdle in the phishing fight: When does the crime occur? Is it when the phishing emails are sent, when they're opened, when victims surrender their information, or when the information is used to conduct illegal transactions? Different countries have different answers, Barrett says, and this ambiguity hinders attempts to stop phishers.

Is phishing a solvable crime? PayPal has been able to reduce the volume of phishing email connected to its brand, Barrett says. "But unfortunately we have driven phishers to other people's brands," he says.

"We can't make phishing go away entirely," Barrett says. "But we should be able to drive it down to a lower level of noise."

About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.