August 04, 2004

When is a phish not a phish?

When it's a class action payout! Yep, Paypal got into a mess when it had to mail out notifications to many users announcing a class action payout and encouraging them to ... you guessed it, click on the link and register their details.

August 3, 2004
Mass Action on PayPal Settlement Site
By Susan Kuchinskas

An awful lot of people want a piece of PayPal. They overwhelmed a site offering a minimum of $50 to anyone with an account, the result of a class action suit.

The site went live in late July, after the United States District Court for the Northern District of California in San Jose approved a $9.25 million settlement in a class action suit alleging that the online payment platform owned by eBay unreasonably restricted, froze or closed customer accounts.

Under the terms of the settlement, anyone who had a PayPal account from October 1, 1999 to January 31, 2004 can receive up to $50 by filing a short form; those who went through PayPal's dispute resolution process or want to claim a higher damage award fill out a longer form and receive a portion of the $5.92 million left after the attorneys are paid.

Although claims must be submitted online, the site at times was unavailable or extremely slow, and some e-mails requesting information bounced.

A notice on the index page reads, "The website is experiencing delays and other problems due to an extremely high volume of traffic." Noting that the deadline for submitting claims isn't until October 23, it advises people to check back in a week or so.

Aside from the sheer volume of hits on the site, there were other glitches: The online form refuses to accept e-mail addresses that contain hyphens or multiple periods, and some people were unable to print the required certification firm, which must be mailed.

"The PayPal settlement site is being hosted by a company hired by the plaintiffs' side of the agreement," said a PayPal spokesperson. "They are aware of the issues with this site and have been working to get them fixed. We've done everything on our end to assist with that, but ultimately it's their site."

While some claimants had difficulty using the site, others worried about whether they should even click on the link in the PayPal e-mail. Internet users are right to be wary of e-mails purporting to be from PayPal. It's been one of the top victims of phishing schemes.

Phishers try to lure the unsuspecting to phony sites that mimic those of reputable companies. Once there, they're asked to input credit card, Social Security and bank account numbers that the fraudsters then exploit.

Most e-mail users receive a relentless barrage of fake PayPal requests to "Update your account immediately!" So, when present and former PayPal account holders received notice last Friday that the company was ready to pay up, it might have seemed a little dodgy.

The link in the e-mail read "," but it redirected surfers to the somewhat spam-sounding That site is hosted by a company with the suspiciously generic-sounding moniker "The Garden City Group."

It's for real, said A.J. De Bartolomeo, one of the lead attorneys in the suit. "This Web site is the official and only official Web site," she said.

De Bartolomeo, a principal in the San Francisco law firm of Girard Gibbs & De Bartolomeo, said all elements of the settlement site and notification e-mails were carefully considered in light of the phishing problem.

Regarding the settlement site's URL, "We realized that using PayPal in the actual Web address might make people think it was a scam," she said. "So we tried to do something that was descriptive. It's an online payment service, and this is the settlement for it."

On the other hand, PayPal sent out the notification e-mails, rather than a third party, she said, because "an e-mail notice from a third party would look a lot like a spoof." Including a link to PayPal's site, which redirected surfers to the Garden City site, she added, "seemed the best way to have the highest legitimacy possible for people who are, for a lot of reasons, suspicious. No notice program is ever perfect," she said.

According to the June Phishing Attack Trends Report from the Anti-Phishing Working Group, Tumbleweed Communications and Websense, in that month there were 1,422 new, unique phishing attacks, a 19 percent increase over the 1,197 attacks reported in May.

Girard Gibbs & De Bartolomeo has several other class action suits against technology companies in the works. It recently filed a class action against Apple Computer on behalf of iPod owners whose batteries have died or lost their ability to hold a charge.

De Bartolomeo said that so far, response to the PayPal settlement has been about what she expected. A judgment won by the firm against MCI (Quote, Chart) for overcharging, in which claims could be filed via paper, the Internet or the telephone, garnered an 8 percent claim rate, while a recent settlement with Hyundai Motor Co. for overstating the horsepower of vehicles drew a whopping 23 percent of eligible claimants. De Bartolomeo said it's too early to tell whether the ability to file claims online combined with widespread consumer Internet use might up the average claim rate.

The PayPal settlement will be a good test.

Posted by iang at August 4, 2004 01:11 PM | TrackBack