Fighting phishing with eBay and PayPal
July 8th, 2008 | Published in Gmail (Google Mail)
Phishing messages are a form of spam that attempt to deceive recipients to gain access to their personal information. A classic one is a message that appears to come from PayPal and attempts to get someone's PayPal password in order to drain his or her account. These fraudulent messages often look very official and can fool people into responding with personal information.
Gmail does its best to put a red warning label on phishing messages, but it can be hard for us to know sometimes and we can't be 100% perfect. So, for the fraction of a time when Gmail misses it, you may end up squinting three times and turning the message sideways before suspecting that it's phishing. Wouldn't it be better if you never saw phishing messages at all, not even in your spam folder? Since 2004, we've been supporting email authentication standards including DomainKeys and DomainKeys Identified Mail (DKIM) to verify senders and help identify forged messages. This is a key tool we use to keep spam out of Gmail inboxes. But these systems can only be effective when high volume senders consistently use them to sign their mail -- if they're sending some mail without signatures, it's harder to tell whether it's phishing or not. Well, I'm happy to announce today that by working with eBay and PayPal, we're one step closer to stopping all phishing messages in their tracks.
Now any email that claims to come from "paypal.com" or "ebay.com" (and their international versions) is authenticated by Gmail and -- here comes the important part -- rejected if it fails to verify as actually coming from PayPal or eBay. That's right: you won't even see the phishing message in your spam folder. Gmail just won't accept it at all. Conversely, if you get an message in Gmail where the "From" says "@paypal.com" or "@ebay.com," then you'll know it actually came from PayPal or eBay. It's email the way it should be.
eBay and PayPal have worked hard to ensure that all their email is signed with DomainKeys and DKIM. Armed with this information, Gmail can easily reject as a fake anything that doesn't authenticate. We've been testing this for a few weeks now and it's working so well that few people really noticed.
We think it's great that PayPal and eBay have taken on the challenge of securing email, and we're pleased to have put our best efforts together to make this work. It's a bold move, but one that will really help fight phishing. Our hope is that this will set a good example for other organizations to follow (yes, it can be done!) and that over time more and more email will become trustworthy.