I recently got an email from PayPal (an actual one, not a phishing attempt) telling me that they’re changing their email address (subject: “Important Address Change Information from PayPal”).
I noticed this part:
How do I know if an email is really from PayPal?
PayPal emails only come from a ‘paypal.com.au’ or ‘paypal.com’ address. We will always address you by your first name AND last name.
It’s important to note that the first part of this answer is utterly useless from a security point of view. Anyone that knows anything about the Internet will tell you that it is completely trivial to send an email so it looks like it is coming from any email address. Email has no built-in security to stop this from happening.
It’s a little annoying that PayPal focus on that by putting it first, because it’s much, much less of a useful security measure than the second thing they propose – using your first AND your last name. Most email spam/phishing attempts simply attempt to guess your name by deriving it from your email address – for example, if your email address is firstname.lastname@example.org, then they’ll start their email with “Dear David”.
However, there’s (almost) no way to derive your last name in bulk mailing attempts like this – unless you already have that information, like PayPal would if you had an account with them. (I say ‘almost’ because there are fringe cases where spammers could guess your first and last name – for example, if your email address is formatted like email@example.com).
If you’re reading emails and wondering whether or not they’re from who they purport to be, bear in mind that looking at the actual email address is never a good way to do it. You’ll need to look for other clues.
Unless, of course, they’re using PGP or some other mechanism to digitally sign their emails. It boggles my mind that financial institutions aren’t offering this as a matter of course, even if only a handful of people would actually use it.