I used to joke that once viruses and phishing attacks learned to use correct grammar and no obvious typographical errors, we’d all be in trouble. Well, phishing has reached that point, according to Matt Haughey. He has a picture of a very realistic PayPal scam message.
This reminded me of what I do when I get messages like that: I just glance at the “To” address and then throw them away, because I can easily tell they’re fake. Why? Because I use a special email address for each company I do business with, and if I get a “Paypal” message that isn’t sent to the right address, I know it’s a scam. Only Paypal knows the address I use. I do the same with different addresses for other companies. Here’s an old article I wrote explaining the idea.
What we need is an easy way for users who don’t have unlimited email addresses handy to detect phishing attacks. Paypal and Citibank and other commonly-scammed companies should set something up, even if it means offering email addresses themselves. It makes more sense to me than each of them offering their own browser toolbar that tells you whether you’ve really reached their site.