This is one to watch out for, since it's quite clever. I was out on a course yesterday and checked my mail via my iPhone and saw that I'd got an email from PayPal. Happens quite often, and this one said that my account had been limited due to some irregularities. Normally I'd have discounted this, since Google is pretty good at catching spam and phfishing attempts, but there it was, in my inbox. I'd also used my account recently to buy something slightly out of my usual run of mill eBay purchases, so I wasn't actually surprised. Also the 'limited' - not blocked, not suspended, just limited. Very reasonable language. When I got home I looked at the email - this was what I saw in the inbox:
Looks reasonable doesn't it? Except that Google is quite good about indicating the validity of senders, because everything else that I get from PayPal looks like this:
See the little key? It's an authentication logo. Google describe it thus: "Displays a key icon next to authenticated messages from certain senders
that spammers attempt to fake. Currently works for mail from PayPal and
eBay only." (If you use Gmail, click on the little green lab flask top right, it's one of the options you can add to your settings.)
So I knew immediately that this was a fake. Opening up the email however, it still looks reasonable. I quote:
"As part of our security measures, we regularly screen activity in the
PayPal system. During a recent screening, we noticed an issue regarding
your account.
We have reason to believe that your account was accessed by a third
party.
We have limited access to sensitive PayPal account features in case your
account has been accessed by an unauthorised third party. We understand
that having limited access can be an inconvenience, but protecting your
account is our primary concern.
Reference Number: PP-000-986-257-397
We've limited access to your account temporarily .We'll review the
limitation once you respond with the information we've requested.
We have attached a form to this email. Please download the form and
follow the instructions on your screen. NOTE: The form needs to be
opened
in a modern browser which has javascript enabled (ex: Internet Explorer,
Firefox ,Netscape)
Thank you for helping to resolve this problem.
Yours sincerely,
PayPal Account Review Department
Please do not reply to this email. This mailbox is not monitored and you
will not receive a response. For assistance, log in to your PayPal
account
and click the Help link in the top right corner of any PayPal page.
"
I carried on looking at the email - Google gives you the option to show more details, which are:
From a quick look it tallies - but looking closer, this has actually come from paypai - instead of the lowercase l we've got a lower case i which if you didn't look closely could have been missed. I checked the details of ownership for paypai.co.uk which didn't tell me a great deal. I also looked at the full headers for the email (Gmail gives you an option to show all which includes this stuff, and there's a handy guide on how to read them as well) which told me the IP address of the sender, and I was able to track this back to an internet company in the US. I then followed it back even further to another system (using the IP address again), and amazingly enough was able to get fairly far into the server without a password - to the point of checking specific users - although there was nothing terribly helpful there. However, that's by the by.
Back to the email. There was a 'form' attached to the email, which had to be opened in a 'modern' browser, as mentioned in the main body of the thing. Now, if it's an HTML form, which it was, rather than just a text file, it could link to any kind of code, and perhaps I'm ultra cautious, but no way was I going to be opening that! I did try it on the iPad, but just got a blank screen. I did run a check on the various reference numbers listed, and did find one reference and the chap who wrote about it had the same email that I got, only he did open up the form, only to get a request for credit card details. Doubtless these would go back somewhere, and while that might provide more information, I'm not that interested.
Of course - what I did before any of the above, was to open a new browser tab and type in the PayPal address myself. With stuff like this I always type in the address myself; I don't rely on clicking addresses in emails since they're not always what they seem. Of course, I logged directly into my PayPal account without a problem, since there wasn't one!
It was a very professional scam - the language was reasonable, wasn't over the top and cleverly made use of an address that was very close to the original. Fortunately I wasn't taken in since I just went straight to PayPal and then explored further. I was surprised that Google actually let it slip through in the first instance, but the verification icon (or lack of) clearly indicated it wasn't what it said. So - if you get anything like this yourself I would suggest:
1. Don't panic.
2. Go to the appropriate site (PayPal, eBay, Bank etc) by opening up a new window and typing in the URL yourself - if there is a problem with your account you'll find out soon enough that way, and can take appropriate steps.
3. Check out any headers if you're still not sure - does the sending address actually match, since it's easy to spoof these things.
4. Don't open any attachments.
5. Obviously (please - it is obvious isn't it?) don't give anyone any credit card details, passwords, nothing.
6. If you're still unsure, do nothing - send a copy of the email to the appropriate organisation and ask if they sent it to you.
I reported the email to Gmail as a phfishing attempt and sent copies of it back to the service provider. Will anything come of it? Doubtful.
Phil, not only that, the language is identical to genuine PayPal emails on the same topic - except the genuine emails tell you to log-in to the website, not complete a form.
Posted by: Simon Chamberlain | July 07, 2010 at 02:51 PM
Thanks for this detailed posting, Phil. Excellent advice re: avoiding any sort of attachment or url link in the email. Though I wonder if one of these days, there might be some loophole that scammers will start to exploit, where even typing the URL in the same browser session won't be safe anymore. Maybe by then services like paypal or eBay will start issuing security tokens.
Posted by: Ivan Chew | July 07, 2010 at 06:18 PM