Michael Barrett
Michael Barrett
While estimates vary on the volume of phishing emails sent around the world everyday, there is no debating the fact that they have become a modern day scourge. At their most innocuous, phishing emails are annoying, but if criminals manage to con you into disclosing your private financial information they're downright dangerous.

Phishing is an industry issue — fraudsters target the largest and most popular brands on the net. Because of the size of our customer base, and the fact that our system is designed to make it easy to move funds to most places on the planet, PayPal has been a popular target for criminals. This has irritated our customers, who have told us that they want us to stop “all those PayPal emails.” Therefore, some time ago we decided to be proactive in the fight against phishing.

Security on the internet is a classic arms race, and criminals are always looking for new ways to steal money from consumers and companies. To stay ahead, we've dedicated resources to protect our
customers — and help them protect themselves — from phishing and other forms of e-crime. It's clear that there's no single “silver bullet,” only a series of layered defenses.

First, we focus on consumer education. Then there's technology. Our anti-fraud systems are industry-leading and help us detect unusual activity the moment it happens — often before it affects customers. We employ detection tools and agents to identify and take down spoof websites, and give our customers additional ways to add more protection to their accounts.

I've often said that the best way to protect consumers is to prevent phishing emails getting into their inboxes in the first place, and we're making great progress on this front. In October of last year, PayPal, Yahoo! and eBay announced a collaborative effort to better protect consumers against fraudulent emails and phishing attacks. Yahoo! became the first web mail service to block these types of malicious messages through the use of DomainKeys email authentication technology.

DomainKeys uses cryptography to verify the domain of the email's sender. It lets email providers validate an email's originating domain, making it effectively impossible for a criminal to forge email purporting to originate at paypal.com.

However, all ISPs should step up and adopt this or similar technology solutions that prevent criminals from preying on consumers. We have an opportunity to stop phishing at the source — by preventing it from ever getting into a consumer's inbox. It's an opportunity we need to take collectively. The old adage says it best: “United we stand, divided we fall.”


30 SECONDS ON...
New technologies
PayPal CISO Michael Barrett says  his company continues to innovate around authentication. “Over time, we expect to introduce the [two-factor] Security Key in additional markets, as well as in new form factors and technology types.”

Collaboration process
Phishing is an industry issue that requires a combined effort from industry, law enforcement and consumers alike, says Barrett. “The good news is that the collaboration required to make a dent in this problem has started to take place.”

ISP is the place to be
Barrett says that Yahoo!'s decision to block fraudulent email technology was an aggressive step forward in protecting customers' email accounts. “It's great to see an ISP so committed to online safety,” he says.

Adoption is key
Offering a solution is only the first step in safeguarding email, says Barrett. While digital email signing/blocking may sound like an ideal solution, it is only partially useful unless a clear majority of email providers adopt it.