A letter from VeriSign Payment Services: “On March 11, 2004, VeriSign was made aware of a situation where an email, purporting to be from VPS Support, asked customers of our services to confirm their Partner ID, Merchant Login, and company name. This email (Subject: Confirmation of your VeriSign Payflow Account,) originated from an unauthorized individual who spoofed a VeriSign email address to make the communication look legitimate. Customers receiving this email were asked to click on a link that would send them to a confirmation site that would then collect Merchant information.

“Incidents of this nature, where someone attempts to secure sensitive information through these means, are referred to as Phishing scams. Unfortunately, Phishing scams are becoming more and more prevalent on the Internet.

“Within an hour of learning about this situation, VeriSign had the Internet Service Provider (ISP) shut down the site attempting to collect merchant information. We are working with the ISP and the authorities to gain access to site data, in an attempt to ascertain if any damage has been caused.

“Please note that compromise of a merchant’s data could only have resulted if a merchant had clicked on the link provided in the spoofed email and provided information. If your company did not respond to this email, your account is safe and no further steps are needed. However, if you clicked on the link and provided your information, then it is possible that an unauthorized person has acquired personal information about you as well as your account access information that was stored on our computer systems. If you fear that your information has been compromised, please contact us immediately… and our support team will work with you to address and fix the problem.

“We would like to emphasize that VeriSign will never ask for you to confirm your Login ID, Partner ID or password via email, or ask for any personal information. Never give your password to anyone and only log in at https://XXXXX.XXXXX.XXX. Protect yourself against fraudulent web sites by checking the URL/Address bar and by clicking on the Secure Site Seal to validate the site every time you log in and before entering any sensitive information. Our customer support staff is available to assist you with your accounts.”

Verisign finally does a Good Thing. Kudos for the quick response.

March 17, 2003 Update: After Aaron Rodden’s findings, we’re putting those kudos on hiatus.