How Well Do Businesses Respond to Phishing Reports?

FuzzyDaddy asks: "When I receive a phishing email, which I find has some new or interesting technique, I will usually forward it to the appropriate abuse department. I recently got one concerning 'my' paypal account (surprising, since I don't have one), which I forwarded to abuse@paypal.com. I received an automated reply telling me to 'please direct all customer service inquires through our website.' I didn't have time to do that, so I let it go. Is paypal being irresponsible, here? Have others on Slashdot been satisfied with their attempts to report Phishing?"

Wrong address.

[DrEldarion]

Paypal does have an e-mail address to forward them to, it's just not "abuse". Forward the e-mails to spoof@paypal.com. They actually do take these pretty seriously.

What I like to do until the site gets taken down is to fill out their form with bogus information, then after submitting it, hit the refresh button. It'll ask me if I want to submit the form again, and I'll say "yes". I'll just sit there for a while hitting F5 and enter just to fill their results with bogus crap.

I know a lot of people actually fall for them. I always tell them that the surefire way to tell if it's a spoof is to put a fake username/password in when prompted. Not only do they then get fake information, but if it gets accepted, you know that the site is fake. I've gotten my whole family to start doing this after my sister fell for one.

Re:Wrong address.

[TFGeditor]

Ditto for eBay--spoof@ebay.com.

Always include original full headers.

You might also want to submit phishing scams to reportphishing@antiphishing.org.

Paypal security center - "Alert us to fraud"

[arb]

Fake Email/Website (Spoof, Phishing)

Paypal, eBay, Amazon, etc all have pretty good security centres. I am surprised that abuse@paypal.com gave that automated reply, but if you visit their website the security centre is prett yeasy to find. You might not get a personalised response to your report because they get so darn many reports, but they do follow through on all reports.

Re:Paypal security center - "Alert us to fraud"

[arb]

In what way? Given that they actually link to PayPal's security centre and seem to be recommended that recipients of phishing attacks report them to PayPal (and other relevant agencies) I would take that to imply that they agree with me.

I'm not a fan of PayPal by any means (I refuse to use PayPal myself) but I do know that they (and parent company eBay) take phishing reports seriously.

Outside of the actual businesses

[BMIComp]

You could always report it to CERT (US Computer Emergency Readiness Team) or the FBI's Internet Crime Complaint Center.

RFC Violation

[strredwolf]

Paypal's been dropping anything that comes to abuse@, which not only is an RFC Violation (and there's a DNSBL of those), but is part of a slow trend of ISP's and other similar service providers to kill off abuse@ and postmaster@.

from the other side

[rritterson]

Just before I started working at my current job, our webserver was hacked and used as an ebay phishing site. It didn't take long before our offices were getting personal calls from agents at the FBI and urgent contact from the ISP who runs our node.

Suffice it to say we took action ASAP. I have a feeling they would have forced us to do something about it if we dragged our feet. I'm assuming they do the same for other reports they receive.