Tag: report

Reading the Ofcon Report on Social Networking: Stats, Stranger Danger, Perceived Risk [en]

[fr] Le Daily Mail remet ça aujourd'hui, abasourdi de découvrir que les adolescents rencontrent "offline" des étrangers d'internet. Il va donc falloir que j'écrive le fameux billet auquel j'ai fait allusion dernièrement, mais avant cela, je suis en train de lire le rapport sur lequel se basent ces articles alarmés et bien-pensants.

Ce billet contient quelques commentaires sur la situation en général, ainsi que mes notes de lecture -- citations et commentaires -- du début de ce rapport de l'Ofcon.

I don’t know if I’ll get around to writing about the teen cleavage scare before the story goes completely cold, but in my endeavour to offer a balanced criticism of what’s going on here, I’m currently reading the Ofcon Social Networking Report which was released on April 2 and prompted this new wave of “think of the children” media coverage. The Daily Mail is at it today again, with the stunning and alarming news that teenagers are meeting “strangers” from the internet offline (big surprise). I find it heartening, though, that the five reader comments to this article as of writing are completely sensible in playing down the “dangers” regularly touted by the press and the authorities.

Here are the running notes of my reading of this report. I might as well publish them as I’m reading. Clearly, the report seems way more balanced than the Daily Mail coverage (are we surprised?) which contains lots of figures taken out of context. However, there is still stuff that bothers me — less the actual results of the research (which are facts, so they’re good) than the way some of them are presented and the interpretations a superficial look at them might lead one to make (like, sorry to say, much of the mainstream press).

Here we go.

Social networking sites also have
some potential pitfalls to negotiate, such as the unintended consequences of publicly posting
sensitive personal information, confusion over privacy settings, and contact with people one
doesn’t know.

Ofcon SN Report, page 1

Good start, I think that the issues raise here make sense. However, I would put “contact with people one doesn’t know” in “potential pitfalls”. (More about this lower down.)

Ofcom research shows that just over one fifth (22%) of adult internet users aged 16+ and
almost half (49%) of children aged 8-17 who use the internet have set up their own profile on
a social networking site. For adults, the likelihood of setting up a profile is highest among
16-24 year olds (54%) and decreases with age.

Ofcon SN Report, page 5

This is to show that SNs are more popular amongst younger age groups. It makes sense to say that half of 8-17 year olds have a profile on SN site to compare it with the 22% of 16+ internet users or the 54% of 16-24 year olds. Bear in mind that these are percentages of internet users — they do not include those who do not go online.

However, saying “OMG one out of two 8-17 year olds has a profile on a SN site” in the context of “being at risk from paedophiles” is really not very interesting. Behaviour of 8 year olds and 17 year olds online cannot be compared at all in that respect. You can imagine a 16 year old voluntarily meeting up to have sex with an older love interest met on the internet. Not an 8 year old. In most statistics, however, both fall into the category of “paedophilia” when the law gets involved.

27% of 8-11 year olds who are aware of social networking sites say that they have a profile on a site

Ofcon SN Report, page 5

I’d like to draw you attention on the fact that this is 27% of 8-11 year olds who are aware of social networking sites.

Unless otherwise stated, this report uses the term ‘children’ to include all young people aged 8-17.

Ofcon SN Report, page 5

I don’t like this at all, because as stated above, particularly when it comes to concerns about safety one cannot simply lump that agegroup into a practical “children”, which plays well with “child abuse”. In the US, cases of “statutory rape” which might very well have been consensual end up inflating the statistics on “children falling victim to sexual predators online”.

Although contact lists on sites talk about ’friends’, social networking sites stretch the
traditional meaning of ‘friends’ to mean anyone with whom a user has an online connection.
Therefore the term can include people who the user has never actually met or spoken to.
Unlike offline (or ‘real world’) friendship, online friendships and connections are also
displayed in a public and visible way via friend lists.
The public display of friend lists means that users often share their personal details online
with people they may not know at all well. These details include religion, political views,
sexuality and date of birth that in the offline world a person might only share only with close
friends.
While communication with known contacts was the most popular social
networking activity, 17 % of adults used their profile to communicate with
people they do not know. This increases among younger adults.

Ofcon SN Report, page 7

Right. This is problematic too. And it’s not just the report’s fault. The use of “friend” to signify contact contributes to making the whole issue of “online friendship” totally inpenetrable to those who are not immersed in online culture. The use of “know” is also very problematic, as it tends to be understood that you can only “know” somebody offline. Let’s try to clarify.

First, it’s possible to build relationships and friendships (even loves!) online. Just like in pre-internet days you could develop a friendship with a pen-pal, or kindle a nascent romance through letters, you can get to know somebody through text messages, IM, blog postings, presence streams, Skype chats and calls, or even mailing-list and newsgroup postings. I hope that it will soon be obvious to everybody that it is possible to “know” somebody without actually having met them offline.

So, there is a difference between “friends” that “you know” and “SN friends aka contacts” which you might in truth not really know. But you can see how the vocabulary can be misleading here.

I’d like to take the occasion to point out one other thing that bothers me here: the idea that contact with “strangers” or “people one does not know” is a thing worth pointing out. So, OK, 17% of adults in the survey, communicated with people they “didn’t know”. I imagine that this is “didn’t know” in the “offline person”‘s worldview, meaning somebody that had never been met physically (maybe the study gives more details about that). But even if it is “didn’t know” as in “complete stranger” — still, why does it have to be pointed out? Do we have statistics on how many “strangers” we communicate with offline each week?

It seems to me that because this is on the internet, strangers are perceived as a potential threat, in comparison to people we already know. As far as abuse goes, in the huge, overwhelming, undisputed majority of cases, the abuser was known (and even well known) to the victim. Most child sexual abuse is commited by people in the family or very close social circle.

I had hoped that in support of what I’m writing just now, I would be able to state that “stranger danger” was behind us. Sadly, a quick search on Google shows that I’m wrong — it’s still very much present. I did, however, find this column which offers a very critical view of how much danger strangers actually do represent for kids and the harmful effects of “stranger danger”. Another nice find was this Families for Freedom Child Safety Bulletin, by a group who seems to share the same concerns I do over the general scaremongering around children.

Among those who reported talking to people they didn’t know, there were significant
variations in age, but those who talked to people they didn’t know were significantly more
likely to be aged 16-24 (22% of those with a social networking page or profile) than 25-34
(7% of those with a profile). In our qualitative sample, several people reported using sites in
this way to look for romantic interests.

Ofcon SN Report, page 7

Meeting “online people” offline is more common amongst the younger age group, which is honestly not a surprise. At 34, I sometimes feel kind of like a dinosaur when it comes to internet use, in the sense that many of my offline friends (younger than me) would never dream of meeting somebody from “The Internets”. 16-24s are clearly digital natives, and as such, I would expect them to be living in a world where “online” and “offline” are distinctions which do not mean much anymore (as they do not mean much to me and many of the other “online people” of my generation or older).

The majority of comments in our qualitative sample were positive about social networking. A
few users did mention negative aspects to social networking, and these included annoyance
at others using sites for self-promotion, parties organised online getting out of hand, and
online bullying.

Ofcon SN Report, page 7

This is interesting! Real life experience from real people with social networks. Spam, party-crashing and bullying (I’ll have much more to say about this last point later on, but in summary, address the bullying problem at the source and offline, and don’t blame the tool) are mentioned as problems. Unwanted sexual sollicitations or roaming sexual predators do not seem to be part of the online experience of the people interviewed in this study. Strangely, this fits with my experience of the internet, and that of almost everybody I know. (Just like major annoyances in life for most people, thankfully, are not sexual harrassment — though it might be for some, and that really sucks.)

The people who use social networking sites see them as a fun and easy leisure activity.
Although the subject of much discussion in the media, in Ofcom’s qualitative research
privacy and safety issues on social networking sites did not emerge as ‘top of mind’ for most
users. In discussion, and after prompting, some users in the qualitative study did think of
some privacy and safety issues, although on the whole they were unconcerned about them.
In addition, our qualitative study found that all users, even those who were confident with
ICT found the settings on most of the major social networking sites difficult to understand
and manipulate.

Ofcon SN Report, page 7-8

This is really interesting too. But how do you understand it? I read: “It’s not that dangerous, actually, if those people use SN sites regularly without being too concerned, and the media are making a lot of fuss for nothing.” (Ask people about what comes to mind about driving a car — one of our regular dangerous activities — and I bet you more people than in that study will come up with safety issues; chances are we’ve all been involved in a car crash at some point, or know somebody who has.) Another way of reading it could be “OMG, even with all the effort the media are putting into raising awareness about these problems, people are still as naive and ignorant! They are in danger!”. What will the media choose to understand?

The study points out the fact that privacy settings are hard to understand and manipulate, and I find this very true. In doubt or ignorance, most people will “not touch” the defaults, which are generally too open. I say “too open” with respect to privacy in the wide sense, not in the “keep us safe from creeps” sense.

This brings me to a comment I left earlier on an article on ComMetrics about what makes campaigns against online pedophiles fail. It’s an interesting article, but as I explain in the comment, I think it misses an important point:

There is a bigger issue here — which I try to explain each time I get a chance, to the point I’m starting to feel hoarse.

Maybe the message is not the right one? The campaign, as well as your article, takes as a starting point that “adults posing as kids” are the threat that chatrooms pose to our children.

Research shows that this is not a widespread risk. It also shows that there is no correlation between handing out personal information online and the risk of falling victim to a sexual predator. Yet our campaigns continue to be built on the false assumptions that not handing out personal information will keep a kid “safe”, and that there is danger in the shape of people lying about their identity, in the first place.

There is a disconnect between the language the campaigns speak and what they advocate (you point that out well in your article, I think), and the experience kids and teenagers have of life online (“they talk to strangers all the time, and nothing bad happens; they meet people from online, and they are exactly who they said they were; hence, all this “safety” information is BS”). But there is also a larger disconnect, which is that the danger these campaigns claim to address is not well understood. Check out the 5th quote in the long article I wrote on the subject at the time of the MySpace PR stunt about deleting “sex offenders'” profiles.

I will blog more about this, but wanted to point this out here first.

Yes, I will blog more about this. I think this post of notes and thoughts is long enough, and it’s time for me to think about sleeping or putting a new bandage on my scraped knee. Before I see you in a few days for the next bout of Ofcon Report reading and commentating, however, I’ll leave you with the quote I reference in the comment above (it can’t hurt to publish it again):

Now, on the case of internet sex crimes against kids, I’m concerned
that we’re already off to a bad start here. The public and the
professional impression about what’s going on in these kinds of
crimes is not in sync with the reality, at least so far as we can
ascertain it on the basis of research that we’ve done. And this
research has really been based on some large national studies of
cases coming to the attention of law enforcement as well as to large
national surveys of youth.

If you think about what the public impression is about this crime,
it’s really that we have these internet pedophiles who’ve moved
from the playground into your living room through the internet
connection, who are targeting young children by pretending to be
other children who are lying about their ages and their identities and
their motives, who are tricking kids into disclosing personal
information about themselves or harvesting that information from
blogs or websites or social networking sites. Then armed with this
information, these criminals stalk children. They abduct them.
They rape them, or even worse.

But actually, the research in the cases that we’ve gleaned from
actual law enforcement files, for example, suggests a different
reality for these crimes. So first fact is that the predominant online
sex crime victims are not young children. They are teenagers.
There’s almost no victims in the sample that we collected from – a
representative sample of law enforcement cases that involved the
child under the age of 13.

In the predominant sex crime scenario, doesn’t involve violence,
stranger molesters posing online as other children in order to set up
an abduction or assault. Only five percent of these cases actually
involved violence. Only three percent involved an abduction. It’s
also interesting that deception does not seem to be a major factor.
Only five percent of the offenders concealed the fact that they were
adults from their victims. Eighty percent were quite explicit about
their sexual intentions with the youth that they were communicating
with.

So these are not mostly violence sex crimes, but they are criminal
seductions that take advantage of teenage, common teenage
vulnerabilities. The offenders lure teens after weeks of
conversations with them, they play on teens’ desires for romance,
adventure, sexual information, understanding, and they lure them to
encounters that the teams know are sexual in nature with people who
are considerably older than themselves.

So for example, Jenna – this is a pretty typical case – 13-year-old
girl from a divorced family, frequented sex-oriented chat rooms, had
the screen name “Evil Girl.” There she met a guy who, after a
number of conversations, admitted he was 45. He flattered her, gave
– sent her gifts, jewelry. They talked about intimate things. And
eventually, he drove across several states to meet her for sex on
several occasions in motel rooms. When he was arrested in her
company, she was reluctant to cooperate with the law enforcement
authorities.

David Finkelhor, in panel Just The Facts About Online Youth Victimization: Researchers Present the Facts and Debunk Myths, May 2007

Being Lifter 20: I'm the "Star" Networker! [en]

[fr] Après LIFT l'an dernier, un questionnaire a été soumis au participants dans le but de déterminer quel impact la conférence avait eu sur leur réseau. J'y ai répondu, avec 27 autres personnes (un assez petit échantillon, à mon avis). Il se trouve que je suis la "super-réseauteuse" de l'étude. Quelques remarques.

Eleven months ago, I participated and encouraged you to participate in a survey which aimed to map social networking between participants of the LIFT’07 conference. As I was browsing around after submitting my workshop proposal, I saw that the report based on that survey had been published. On the LIFT site, you can see screenshots of the graphs (yes, this is what I call a “social graph”!) before and after the conference.

Go and look.

LIFT'07 Network Mapping Report

Notice the node somewhat to the left, that seems to be connected to a whole bunch of people? Yeah, that’s me. I’m “lifter 20”. How do I know? Well, not hard to guess — I have a rather atypical profile compared to the other people who took the survey.

So, as the “star” networker in this story, I do have a few thoughts/comments on some of the conclusions drawn from the survey. Don’t get me wrong — I think it’s very interesting, and that we need this kind of research (and more of it!) but as Glenn says himself in the 1Mb PDF report, it’s important to bear in mind the limitations of this study. (All the quotes in this blog post are taken form the PDF, unless I say otherwise.)

The limitations of this study needs to be understood before considering the findings: This
study maps networks from the point of view of the 28 participants. Consequently, it is
only a partial map of the networks established at LIFT07.

In this study, I’m the “star” networker: the person with the most connections before and after the conference.

Before the conference, participant Lifter20 had the largest network (59 attendees)
which was increased by 25 attendees after the conference.

Bearing that in mind, I would personally have removed myself from the “average” calculations (I don’t think that was done), because I’m too a-typical compared to the other people in the survey. Typically, I would find it interesting to be given figures with extremes removed here:

There was a large range in the size of the individual networks before LIFT07 (from 0 to
59) and a smaller range in the number of people added to networks after the conference
(from 0 to 28). However, on average, participants had seven people in their network
before LIFT07 and added nine more people after the conference – leading to the
conclusion that people at least doubled their network by attending LIFT07.

As mentioned earlier, 28 people took the survey. I know I’m not the most networked person at LIFT. In my “network of red nodes” (people not in the survey) there are people like Robert Scoble, Stowe Boyd, or Laurent Haug — who clearly did not take the survey, or I wouldn’t be the “star networker” here. So, they are a little red node somewhere in the graph. Which makes me take the following remark with a big grain of salt:

Before the conference, several “red” attendees (i.e. those attendees nominated as
part of the network of the 28 participants) were significant relay nodes in the network
receiving considerable incoming links – notably the red node to the right of Lifter 12
and the red node to the left of Lifter 16. In both cases, the number of links to these
nodes increased after the conference.

What’s missing here is that these red nodes might very well be super networkers like Stowe or Robert. The fact they receive significant incoming links would then take a different meaning: only a very small part of their role in the global LIFT networking ecosystem is visible. (Yes, the study here only talks about a small part of this ecosystem, but it’s worth repeating.)

I think that most heavy networkers are not very likely to fill in such a survey. The more people you know, the more time it takes. I’m easily a bit obsessive, and I think this kind of study is really interesting, so I took the trouble to do it — but I’m sure many people with a smaller network than mine didn’t even consider doing it because it’s “too much work”. I suspect participation in such a survey is skewed towards people with smaller networks (“sure, I just know 5-10 people, I’ll quickly fill it in”).

Here’s a comment about the ratio of new contacts made during LIFT’07:

For example, the “star” networker, Lifter20 has a ratio of 1:0.4. In
other words, for every third person in her existing network, she met one new person.
Whereas, Lifter18 had the highest ratio of 1:7. In other words, for every person in her
existing network, she met seven new people.

I think it’s important to note that, as I said in my previous post about this experiment, knowing many people from the LIFT community beforehand, the increase in my network (proportionally) was bound to be less impressive, than, say, when I came to LIFT’06 two years ago (I basically knew 3 people before going: Anne Dominique, Laurent, Marc-Olivier — and maybe Roberto… and walked out with a ton of new people). I’m sure Dunbar’s number kicks in somewhere too, and I would expect that the more people you know initially, the lower your ratio of new contacts should be.

On page 8 of the survey there is a list of participants and the number of before/after contacts they entered in the survey. So, if you took the survey and have a rough idea of how many people you knew before LIFT, and how many you met there, you should be able to identify who you are.

This is interesting:

The “star” networker, Lifter 20 had seven links to other participants before LIFT07
which grew to ten after the conference, giving her the most central position in the
network of participants.

So, basically, 10 people I know took the survey — out of 28 total. I know I blogged about the survey and actively encouraged people in my network to take it. This would skew the sample, of course, making it closer to “my network at LIFT”. If we know each other and you took the survey, can you identify which number you are? it would be interesting to put faces on the numbers to interpret the data (for me, in any case, as I know the people). For example, if you’re a person I brought to LIFT, chances are your “new connections” will overlap mine quite a bit — more than if you came to LIFT independently.

A chapter of the report is devoted to the “star” networker (in other words, little me).

Interestingly, many of the
people that she connected to, both before and after LIFT07, were not part of the
networks of the other 27 participants of the study, indicating a certain isolation of parts of
her network.

[…]

Before the conference, a significant number of contacts (35) of Lifter20 had no
connections with any of the other 27 participants of the study.

After the conference, a number of contacts (14) made by Lifter20 had no connections
with any of the other 27 participants of the study.

The first remark be turned the other way: maybe all these “unconnected” people are actually quite connected within the “global LIFT network”, and it is the sample of 28 people who answered the survey which have isolated networks. Of course, isolation is a relative notion, but the way things are phrased here makes it look like I have an isolated network… which I don’t really believe to be the case — a great part of my network is actually very interconnected, only it doesn’t show in the graph because the people in question did not take the survey. Friend Wheel for Stephanie Booth - Facebook Friend Relationships My friend wheel (see screenshot) from Facebook gives a better impression of what it looks like. (No, no, I’m not taking this personally! I’m not.)

Lifter20 shares a number of contacts with one other participant (Lifter13 – the blue
node horizontally to the right in the “after” diagram).

Who is Lifter 13? (14 before, met 7 at LIFT’07) Somebody I knew before LIFT’07. I’m curious.

I’d also love to know who Lifter 18 (the “booster” networker) and Lifter 11 (the “clique” networker) were, though the graph indicates I know neither.

In conclusion, I’d say this is a really interesting study, but the anonymized data would gain to be interpreted in the light of who the actual people were and what their networks were like. I think it would allow to evaluate where this kind of analysis works well and works less well.

I think 28 people is a rather small sample for such a study — it’s a pity more people didn’t participate in the survey. How could we motivate people to participate? I think one of the issues, mainly, is that people don’t get anything directly out of participating. So… maybe some goodie incentive for doing it, next time? Also, I remember the interface was a bit raw. What I did is go through the participant list and type the names. It’s almost impossible to just think back at “so, who did I meet at LIFT this year?” — either you’re going to take a stack of business cards your brought home, or you’re going to go through a list and see what names ring a bell.

Maybe the survey organisation could take that into account. Provide participants in the survey with a (searchable, ajaxy) list of attendees with checkboxes. Then you could add smart stuff to help out like Dopplr’s “travellers you may know” (based on a “contacts of your contacts” algorithm).

UK Trip Report [en]

Write-up of my 5-day trip to the UK. Movies with Aleika, Bombay Dreams in London, an IRC meetup.

The nice thing about having a laptop is that you can fire it up on the airplane and type in peace, without being distracted by IRC, instant messaging, e-mail and stats checking, or simple bloghopping. With iTunes in the background playing Bombay Dreams, my only concern is that the plane will start descending towards Geneva shortly.

My trip to the UK was short, and last-minute. I heard some people from #joiito were going to meet up in London on Sunday, I checked my easyjet flights, called Aleika–

“Ladies and Gentlemen, we will be landing shortly in Geneva. Please return to your seats, make sure your seatbelt is fastened and your seat is in the upright position, and switch off any electronic equipment.”

There goes the laptop, and I now find myself with a post which will be hard to date. Anyway. (Warning: this is a “cheese sandwich” post to some extent, so if you’re bored already, don’t bother reading it.)

Where was I? Yes, last-minute trip. I found a friend to house-and-cat-sit for me, which was nice, and spent the first couple of days at Aleika’s. We did our usual “girls at the movies” thing: get dressed up a bit, leave home late, grab some food which doesn’t come fast enough (well, it took long enough to arrive that I drank my pint of cider almost entirely before the meal, and can now testify that it’s all it takes to make my head spin quite a lot), jump into a cab and run to the theatre (slightly inebriated), only to find that the timings on the internet were incorrect, and we have another half-hour to wait before gleefully drooling all over Hugh Jackman in Van Helsing (OK, I got a bit carried away here, but you get the picture).

I got to spend nearly a whole day alone with Akirno, which was really nice. I didn’t get to see him much on my last visits. He’s grown so much! And he talks so much! (Yes, I know, that’s what I say each time I come back from Birmingham.) He’s a real sweetie. I love him very much.

Unfortunately, I caught a cold (over the top of my first one!) waiting for the bus after Van Helsing, so all my pre-London shopping was done in a rather feverish state. Looking at the bright side of things, it means I didn’t spend as much as I might have, which is a good thing, as my suitcase was already quite full enough (and my bank account empty enough, but that’s another story).

Driving to London went fine. We found a parking space right next to the Apollo Victoria Theatre. (Remember: Sunday matinée shows are a good idea if you’re going to London to see a musical or a play.) Bombay Dreams was really fun, specially as I know most of the songs Rahman re-used for the musical.

Still dressed up (I chose the pink dress), I headed for the #joiito meet-up. Despite this nagging feeling of being somewhat overdressed, and my cold, I had a very nice evening.

As always, though, I had to cope with the frustration of group meet-ups: not enough time to talk with everybody, not enough time to get into interesting conversations with those I talk to. Or maybe I’m just more of a one-to-one person? Anyway, standing invitation for any of you who would want to visit the beautiful town of Lausanne or practice French in the area — just drop me a line, or better (since e-mail is soon to be a dead form of communication, thanks to spam), catch me on IRC.

So, who was there? Well, as I’m nearing the ages of senility, I’m probably forgetting a lot of people, so please bear with me if you’re not mentioned, and let me know if it bothers you too much.

First of all, imajes, my kind host, who was so busy taking me through his iTunes collection on the train back that he missed his home stop. (Can it get worse than that?) Suw prevented me from being the only woman present (I can’t thank you enough for that). Joi was so utterly bored by my presence next to him that he left early to go back to his hotel and sleep — imagine that! (Actually, it seems jetlag also had something to do with it…)

I chatted quite a bit on the way there with imsickofmaps, and on the way back with snowchyld. Hugh managed to mess up my first blogcard somewhat (or whatever those things are called), so I am now the lucky owner of two of them. Gerard aka insert-coin took a nice bunch of photographs and has already put them online. I stole Suw’s camera to take a few photographs, but she’s not home yet, and those I took with my phone are stuck in there until I lay my hands on a Windows PC (thanks, Microsoft).

Apart from bumping my head on a couple of low doorways and leaving my coat there, I brought two things back (not literally) from james’ flat: VoodooPad, which I have not adopted as my official scrap-book application, and a book which made me discover a blog (how often has that happened to you?): Never Threaten to Eat Your Co-Workers: Best of Blogs, a collection of great weblog posts. I read a few pages, and it looked really neat. It’s on my wishlist now.

I think this post is long enough, for a short trip!

Paypal Scam Nearly Got Me [en]

How I almost got scammed by people masquerading as PayPal. Remember to always type https://paypal.com in your browser, and never to click links!

I consider myself pretty web-savvy and spam/hoax-aware. Today I very nearly got fooled into giving my PayPal information to some shady characters.

This morning I got an e-mail from PayPal — or so I thought. It looked nice and branded, no spelling or grammar mistakes, security warnings telling me not to give my password or anything to anybody, and even a link inviting me to go and see PayPal’s Security Tips page. It was just asking me to login on the site and check my data there (that’s what I understood then, re-reading it now, it says they will verify the information I have entered, which is much more fishy).

I had already made a mental note of one of the PayPal warnings, which is to not trust any other site than https://www.paypal.com/ (I’m not linking it so as not to encourage you to click on links which seem to point there — you’ll understand why in a minute). Now, remember this was early morning for me (don’t you also check your e-mail in the morning?). I clicked on the login link, and noticed the browser was sending me to a website identified by an IP address (194.183.4.23 in this case). I stopped everything, and clicked the nice blue link that said https://www.paypal.com/us/cgi-bin/cmd=profile-update. The login page looked furiously like the real PayPal login page, and I was about to login with no second thoughts when I noticed the name in the browser bar was http://www.ssl2-paypal.com/support/update.html — not the link I had clicked on!

I had seen this address before, in another “PayPal” e-mail I had got a couple of weeks back. Already then they had managed to fool me, even though the e-mail was less well crafted than this time. I smelled a rat, so finally typed https://paypal.com/ in my browser and logged in there. Nothing special happened.

I dug out the previous e-mail, slightly worried now. You see, although I had been suspicious about this first e-mail, I do remember that I had logged in somewhere. But to this moment I’m not sure if I logged into the fake website or if I had the sense to point my browser to the real PayPal website myself before logging in. I think I did, I hope I did, and in any case I just checked my account for fraudulous activity and changed my password. The first e-mail was really bad, but I was convinced enough that it came from PayPal to forget about it, just making a mental note that their copywriting was really really poor.

This made the second scam e-mail seem all the more real: when I got it, I thought “oh, so that last e-mail must really have been a fake, this is what a real one looks like.” Poor unsuspecting me.

At this point, I still thought the second e-mail was a “real” one, but that the ssl2-paypal people had someway managed to hack a redirect on the official PayPal site. I hadn’t looked at the e-mail source yet, see?

Anyway, I decided to report the first e-mail I had received.

Coming back home at the end of the day, I had an automated response from PayPal regarding my complaint. It again stated all the security measures to take, in particular the one about always typing https://paypal.com in your browser. And I thought: “you doofuses, you had better stop putting clickable links in your e-mails if you want people to get used to typing the address!”

I was going to respond to them with a more politically correct comment in that direction when I went to have a second look at the e-mail (which, I remind you, I still thought legitimate) I had got in the morning. And that is when I realised that the beautiful blue link was in fact a fake link, disguised as a real one. You can put anything in the href attribute of an achor tag — the catch here is that their link looks a lot like the blue links e-mail reading programs create when they encounter plain-text URL’s.

So, there we go. I was nearly caught by those not-that-dumb spammers. Remember the golden rule:

Always TYPE the address in your browser, don’t CLICK on links in PayPal or other e-mails.