This is one to watch out for, since it's quite clever. I was out on a course yesterday and checked my mail via my iPhone and saw that I'd got an email from PayPal. Happens quite often, and this one said that my account had been limited due to some irregularities. Normally I'd have discounted this, since Google is pretty good at catching spam and phfishing attempts, but there it was, in my inbox. I'd also used my account recently to buy something slightly out of my usual run of mill eBay purchases, so I wasn't actually surprised. Also the 'limited' - not blocked, not suspended, just limited. Very reasonable language. When I got home I looked at the email - this was what I saw in the inbox:
See the little key? It's an authentication logo. Google describe it thus: "Displays a key icon next to authenticated messages from certain senders that spammers attempt to fake. Currently works for mail from PayPal and eBay only." (If you use Gmail, click on the little green lab flask top right, it's one of the options you can add to your settings.)
So I knew immediately that this was a fake. Opening up the email however, it still looks reasonable. I quote:
"As part of our security measures, we regularly screen activity in the
PayPal system. During a recent screening, we noticed an issue regarding
We have reason to believe that your account was accessed by a third party.
We have limited access to sensitive PayPal account features in case your
account has been accessed by an unauthorised third party. We understand
that having limited access can be an inconvenience, but protecting your
account is our primary concern.
Reference Number: PP-000-986-257-397
We've limited access to your account temporarily .We'll review the
limitation once you respond with the information we've requested.
We have attached a form to this email. Please download the form and
follow the instructions on your screen. NOTE: The form needs to be opened
Thank you for helping to resolve this problem.
PayPal Account Review Department
Please do not reply to this email. This mailbox is not monitored and you
will not receive a response. For assistance, log in to your PayPal account
and click the Help link in the top right corner of any PayPal page. "
I carried on looking at the email - Google gives you the option to show more details, which are:
From a quick look it tallies - but looking closer, this has actually come from paypai - instead of the lowercase l we've got a lower case i which if you didn't look closely could have been missed. I checked the details of ownership for paypai.co.uk which didn't tell me a great deal. I also looked at the full headers for the email (Gmail gives you an option to show all which includes this stuff, and there's a handy guide on how to read them as well) which told me the IP address of the sender, and I was able to track this back to an internet company in the US. I then followed it back even further to another system (using the IP address again), and amazingly enough was able to get fairly far into the server without a password - to the point of checking specific users - although there was nothing terribly helpful there. However, that's by the by.
Back to the email. There was a 'form' attached to the email, which had to be opened in a 'modern' browser, as mentioned in the main body of the thing. Now, if it's an HTML form, which it was, rather than just a text file, it could link to any kind of code, and perhaps I'm ultra cautious, but no way was I going to be opening that! I did try it on the iPad, but just got a blank screen. I did run a check on the various reference numbers listed, and did find one reference and the chap who wrote about it had the same email that I got, only he did open up the form, only to get a request for credit card details. Doubtless these would go back somewhere, and while that might provide more information, I'm not that interested.
Of course - what I did before any of the above, was to open a new browser tab and type in the PayPal address myself. With stuff like this I always type in the address myself; I don't rely on clicking addresses in emails since they're not always what they seem. Of course, I logged directly into my PayPal account without a problem, since there wasn't one!
It was a very professional scam - the language was reasonable, wasn't over the top and cleverly made use of an address that was very close to the original. Fortunately I wasn't taken in since I just went straight to PayPal and then explored further. I was surprised that Google actually let it slip through in the first instance, but the verification icon (or lack of) clearly indicated it wasn't what it said. So - if you get anything like this yourself I would suggest:
1. Don't panic.
2. Go to the appropriate site (PayPal, eBay, Bank etc) by opening up a new window and typing in the URL yourself - if there is a problem with your account you'll find out soon enough that way, and can take appropriate steps.
3. Check out any headers if you're still not sure - does the sending address actually match, since it's easy to spoof these things.
4. Don't open any attachments.
5. Obviously (please - it is obvious isn't it?) don't give anyone any credit card details, passwords, nothing.
6. If you're still unsure, do nothing - send a copy of the email to the appropriate organisation and ask if they sent it to you.
I reported the email to Gmail as a phfishing attempt and sent copies of it back to the service provider. Will anything come of it? Doubtful.