Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

Gone phishin’

Locked

I got an email from PayPal today telling me that I need to update my account by providing a debit/check card account number. However, the email has a couple of misspelled words in the first paragraph. That made me suspicious at first. On further investigation, the email [b]appears[/b] to be legitimate and the links it forwards you to [b]appear[/b] to be to the real PayPal website. (Though I don’t know how to tell for sure). I find it pretty incredible that a company like PayPal would misspell words in an official correspondence concerning a serious matter like financial accounts. Like I said, from what I can tell this does appear to be really from PayPal but I am leery because of the misspelled words. From what I know about phishing, misspelled words are a tipoff that something is amiss. With the clients I sometimes interact with in my job misspelled words on official documentation are a HUGE no-no, so I can pick them out at the blink of an eye. I am not going to be updating any account information with PayPal until I actually make a transaction using them (which is very rare). Maybe I’m being overly careful because I got one of my credit cards stolen a couple of days ago.

After all this, my questions are: 1) Do you know anyone who has fallen for a phishing scam? (Would you admit it if you have?) The phishers must be hoodwinking at least a few people because phishing is not abating. 2) How can you tell if you are being phished? I would think that a link to a “http” web page rather than a “https” web page would be a clue but that’s not always the case. Phisherman can be pretty smart in building a clone web page.

FYI, below is the first paragraph of the email from PayPal. I have boldfaced the misspelled words (“attion” should be “attention” and “non existant” should be “nonexistent”).

[i]
Dear valued PayPal? member,

Due to recent fraudulent transactions, we have issued the following security requirements.
It has come to our [b]attion[/b] that 98% of all fraudulent transactions are caused by members using stolen credit cards to purchase or sell [b]non existant[/b] items. Thus we require our members to add a Debit/Check card to their billing records as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. Your Debit/Check card will only be used to identify you. If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the PayPal? service.[/i]

.

Topic

M_a_r_k — DON’T REPLY – You ARE being phished! Don’t Bite!

In reply to Gone phishin’

.
PayPal, ebay, banks, credit card companies, and other such businesses will NEVER send an email requesting that kind of personal information — never.

I’m an active ebay seller (and sometimes buyer), and I use PayPal a lot. I’ve seen these emails more times than I can count. I always report it to the appropriate department. spoof@paypal.com or spoof@ebay.com (I think these are the email addresses. If not, there’s a link at the legitimate site.)

So, yes, you are being phished. There’s no doubt about it.

Have I, personally, ever fallen for one?

Part of my job is to train the office staff on various IT issues and functions, and we have monthly meetings to facilitate the training. One of my regular subjects is to show the latest and greatest phishing schemes going around, and I often-times use the ones I receive as examples. It’s really a fun exercise to do, as other people speak up about the different ones they’ve received. It’s a great way to keep the issue in the front of everyone’s mind. Keep driving the issue home, and people are less likely to fall for it.

I received an email not too long ago from the president of ebay telling me about a special seller’s deal that was being planned. It had his picture and everything. It didn’t ask for my banking and credit card information, as most phishing schemes do, but it did ask me to enter my ebay username and password at the other end of the provided link to sign-up for the special promotion. Well, considering that I took a dumb-a$$ pill with my coffee that morning, I signed up for the special deal.

About a week later, ebay promptly ended all of my active auctions and suspended my account. What the heck, I thought? They also sent me an email asking me to contact their live-help, and verify whether or not I did indeed list that 2003 Mazda for sale. (No, I had no Mazda for sale.) After I logged into that live-help session, the person on the other end said to wait for a phone call to verify that I was who I claimed to be. The ebay people actually called me at home to verify my authenticity! They determined that my ebay account had been compromised, I was told, and they cancelled all auctions and suspended my account as a precaution. They would not tell me, for security reasons, how they knew it was not really my Mazda for sale, but I don’t really care. They did an OUTSTANDING job protecting me and a potential unsuspecting buyer, who would have undoubtedly been scammed out of some money, and who would then have come after ME for failing to deliver a car they paid for! (Only three hours from the time the bogus Mazda was listed and when they suspended my account! I was impressed.)

After months and months of warning other people about it, I got bit in the a$$ myself. I didn’t lose anything, however, nor did anyone else, so I was lucky — very lucky. All I had to do was change my ebay password and I was good to go. I actually changed ALL of my passwords that day — my PayPal, my email, etc.

I have a very “humbling”, but funny story for my next IT meeting. There’s nothing like a real-life experience to REALLY drive home a point. (No pun intended – “drive home” a point … Mazda ….)

Was asked to provide the info on their web site

In reply to M_a_r_k — DON’T REPLY – You ARE being phished! Don’t Bite!

The email from PayPal did not ask to send the acct information via email. It had a link to what appears to be PayPal’s web site, where you have to log in to access your own account. The problem there would be, if it is a spoofed PayPal site, they’ll grab your acct name and password. However, in this case I think it was legit because they also provide a link (on the web page) where, if you forgot your password, they will reset it and send you the new randomly-generated one. A spoofer/phisher couldn’t do that.

That’s interesting how eBay detected so quickly that your account had been compromised. I wonder how they did it. Of course, they won’t tell you. Something must have triggered a checks and balances alert within their software. I’ve never sold anything on eBay so I’m not familiar with what kinds of information they could do that on but they surely have to have some way to verify (as much as reasonably possible) that the real account holder is trying to sell something. I’m glad to hear they have such good controls. Their business relies heavily on security so I guess it shouldn’t be surprising.

And yeah, you’re right. Experience is the best teacher. It keeps us all humble. It’s a great story to relate to your trainees. If the trainer can get fooled, anybody can.

Mark: Be careful

In reply to Was asked to provide the info on their web site

The whole point of “good” i.e. successful, phishing is that it looks just like the real thing – complete with “lost password” buttons and other good stuff.

Basic rule: Never, never use the link in the email. Always make your way to the site directly from your browser.

By the way, I have this rather splendid bridge on the Thames with a couple of nice towers. We sold its mate to Lake Havasu, Arizona but I’m taking offers on the one that they thought they were buying…

Put the bridge on ebay. . . .

In reply to Mark: Be careful

.
You’ll probably sell the damned thing!

OK, Max

In reply to Put the bridge on ebay. . . .

Just peer-mail me your e-bay account name and password and we’ll go halves on the profits.

:p

M_a_r_k – Trust me, really IT IS A SPOOFED EMAIL

In reply to Was asked to provide the info on their web site

.
That IS a spoofed email. There’s absolutely no question about it. The link provided in the email goes to a spoofed site.

IT IS NOT LEGITIMATE!

If you want to verify that, go to the PayPal home page, through your normal Web access means, log into your account, and on the bottom of your account overview page is a link to the PayPal Security Center. Verify it with them before you do anything.

But whatever you do, don’t trust the email and don’t trust the links in the email – THEY’RE PHONY!

I never trust any unsolicited account-related email

In reply to M_a_r_k – Trust me, really IT IS A SPOOFED EMAIL

When I do get an email like that, I never go through the acct update process via the email link. Like you guys said, I’ll bypass their link and go directly to their web site myself. If any account update stuff really is required, there should be some indication from the site after you legitimately log on.

they can hide bad url

In reply to Was asked to provide the info on their web site

either by extra long or bogus chars, cross scripting, or by clicking on link which is really a graphic and it shows ACTUAL url at bottom of page only when you mouse-over. some anti-phishing browsers / toolbars highlight this difference and tell you.

we had one spam get thru for same reason, was a graphic instead of words in email.

Another tip-off (actually TWO)

In reply to Gone phishin’

.
PayPal, ebay, banks, and so on, have your real information on file. It’s common practice to address you by name in any email, not just “dear valued member”.

Also, whenever any request is made by them for your credit card or banking information, they will show you the last few digits of the number they already have on file. They even do this at their very own legitimate site.

Good point

In reply to Another tip-off (actually TWO)

about the nondirect salutation. But addressing each customer by name would require them to send individual “personalized” emails to every single customer. Might be tens of millions. Their emailer would be churning for days doing that. Sending one email in a mass distribution list is easier.

Sometimes you can tell by digging into the email header and finding the originator’s email address. I’ve even had some dumb phishers where if you just start a reply email, the originator’s email shows up directly in the reply address. If you get an email from PayPal but the reply address is something other than PayPal.com, be suspicious. This was something like custserv@paypal.com. (If it was something like bob48765@yahoo.com, it’d be an obvious scam). Still could be a scam even if its custserv@paypal.com, though. You can’t prove a negative.

What you said is not the case . . . addressing each customer by name . . .

In reply to Good point

.
PayPal can send ten million “personalized” emails in a matter of minutes. It doesn’t mean that someone typed-in the name of each and every one of those ten million. It means that the email originated from the PayPal database that could do it automatically.

Yep I know

In reply to What you said is not the case . . . addressing each customer by name . . .

that they don’t have someone typing each email. They may have had to do that 40 yrs ago. And yes, they’d need to dip into the database regardless, just to get each user’s name and email address. The drain on the DB is the same with a mass email or individual emails because you have to retrieve each active user individually.

I can put ANY return

In reply to Good point

address on email.

I do this in programs to send out production counts from PCs in certain areas. Of course I only use ‘donotreply @ [ourdomain.com]’ or things like that but I can use anything.

Here ya’ go! Crooks in Action!

In reply to Gone phishin’

.
Scroll down to number 362.

http://website.lineone.net/~farrago/cia/crooksin2.htm#first380

http://website.lineone.net/~farrago/cia/crooksin2.htm#first340

http://www.loribravo.com/wordpress/index.php/2005/10/03/paypal-scam

http://www.bravoauctions.com/?p=9

Excellent detective work, Max!

In reply to Here ya’ go! Crooks in Action!

I never trust telemarketers either. I do sometimes like to shoot the $hit with them though, especially if the caller is a female. ]:) My record for keeping one on the line is 19 minutes.

Never, ever reply

In reply to Gone phishin’

Never, ever reply to any email asking for your details, period.

If you think it may be legit, go to their website or phone.

These PayPal scammers are sneaky; it IS fake

In reply to Gone phishin’

Well, I’ve verified that the email was a scam. Compare these two pages:

https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run

http://paypal.secsrv469.com/cgi-bin/webscr.html?cmd=_login-run

Can you tell which is the fraudulent one? It should be obvious in the URL but the typical person won’t know that. The pages look identical and the links from both are legit.

PayPal’s Security Center (the real PayPal) notes that the generic greeting “Dear Valued Member” and misspelled words in emails are an indication of a spoof.

Thanks for everyone’s feedback.

Answers

In reply to Gone phishin’

1) No

2) You get email telling you to provide certain information. Legitimate businesses NEVER, EVER send such emails.

Paypal phishing scams.

In reply to Answers

Since getting Tiscali BB, I get at least one of these a week, now twlling me that my account has been suspended. I also got very good ones from Barclays bank and they don’t even know my new e-mail! Better still, my account with Wells-fargo has also been suspended!
I have to give it to htem, they do look genuine.
BUt some of the e-bay ones are sent to sevceral people if you arrage your e-mail to see the full headers.
I have some times replied, pasting malicious code for both windows and Linux in the form, but it doesn’t seem to work.

Real simple way to tell

In reply to Gone phishin’

you’ve figured out by now from other comments you ARE being phished.

Get your own domain. or sign up for yahoo / google email for paypal, and another for ebay use.
change your paypal and ebay accts to use a single email address you don’t use for ANYTHING else.

I do this for all online shopping too. Found that one site was either selling my address or had been broken into, as they were the only ones in the world I’d give that email address to. If you have a domain is easier as you can type something easy like .. onecall@mydomain.com if you buy from onecall for example.

from then on, look at the from address on email.
if it was NOT sent to your specific paypal account it IS fraudulent.

I don’t normally forward any phishing I receive except those I have accounts with, send it to either spoof or abuse at paypal and ebay (has correct addr on their help page).

Reply To: Gone phishin’

In reply to Gone phishin’

(i’m on the don’t call list)… but I used to see how long they’d listen if I’d start making up outrageous stories… I told one lady that I just shot my daughter, and she was bleeding and what should I do?… She stayed on the line for about 15 minutes before I started cracking up and had to hang up… :^O

Telemarketers

In reply to Reply To: Gone phishin’

That’s the reason I haven’t gotten on the don’t-call list, surfer.

http://techrepublic.com.com/5208-6230-0.html?forumID=8&threadID=184056&messageID=1878241

I’ve even got a date lined up next time I go to Cincinnati. 😉

I must have missed

In reply to Telemarketers

the do-not-spam list tho

Ebay, Paypal and TR

In reply to Gone phishin’

Will never ask for your password or any information. If you get an email like this send it to spoof@ebay.com. They are tracing and tracking down where they come from, one person has been picked up because of this. I get these email three or four time’s a month, because I buy so much.
I also get some saying that my item is indispute and should go to the link to take care of the charges.

Don’t fall for Phisin schemes..

In reply to Gone phishin’

The best way to spot a Phising email from a company, bank or ebay & payPal that you may do business with is simple. The REAL email from them will ALWAYS contain your NAME not just DEAR USER. This has always worked to spot the fakes.
Thanks

[Author]

Replies