New scary sign that hackers are still smarter than the Web cops behind site security: PayPal just discovered a flaw in their system that allowed hackers to set up a “legit” URL on the PayPal servers.
Result: You got an email directing you to a real PayPal URL, and every logical test you could give this URL proved it to be one of PayPal’s own, supported on PayPal servers.
However, on this real URL, you were told your account had been compromised, and you needed to go to this other site, right now, to fix things.
And off you went to a Korean scam center, where fleecing began in earnest, apparently. PayPal has zero clue how many people were duped, or how far the damage has gone. (Though they have apparently fixed that particular security flaw, and the Korean hack-site has been shut down. At least that’s the story now on Yahoo! news.)
This is not good, people. A couple of years ago, the first few emails purporting to be from PayPal looked and sounded so real, I contacted PayPal directly to see why my account had been shut down (or whatever action the scam suggested had happened). I was smart enough not to click the link in the email… but I was taken aback at how real the message seemed.
PayPal, back then, shrugged it all off. “Just be careful, and know that no PayPal employee will ever ask for your password.” No one there thought much of the repeated attacks. They didn’t have an official policy regarding these scams.
But it was like a large evil army relentlessly testing the security and vulnerability of the walls of a fortress.
And there is always a way through the locks and gates and walls. Always.
I tell marketers to consider this bet: Who would you put your money on to win — the little Latin American dope farmer trying to get some product into the states (to “starving” crowds eager for delivery)… or the U.S. military guarding the borders, with all their high-tech weaponry, detection devices, security protocol and multi-trillion dollar budget?
There is always a way in. Always.
This is a double-edged reminder for marketers. First, don’t ever get complacent about your security… and do what you can to keep your customers and prospects aware of the extra steps you take to keep their ordering info safe. It’s not a joke. This is serious. Just like people abandon the stock market after a crash, so too will they think twice about ordering online after a major scam like this.
Second — this is a good lesson for anyone in a crowded niche. No matter how much better funded your competition is, or how many other advantages they have… there is always a way to beat them in the quest for turning prospects into customers.
Online, everyone is equal. IBM cannot spend enough to make their site better than yours (even if you set it up from your kitchen table using freeware, or by hiring an elance.com geek for a hundred bucks)… as long as they insist on ignoring basic salesmanship and good marketing tactics, and you pay attention to what the customer really wants.
In short — find your competitors weaknesses, and exploit them. Do what they aren’t doing. (Most of the time, this involves paying more attention to the prospect.)
It’s still the Wild West online, folks.