How to Spot a Fake PayPal Email – Part Deux

Phishing, pronounced just like fishing, is a term you must be aware if you use the Internet for any kind of sensitive transactions.  You could be at risk of a phishing attack if you use online accounts such as Paypal or your bank account, credit card account, etc.

Quoting Wikipedia,

Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from PayPal, eBay or online banks are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging and it often directs users to enter details at a website.

I had written on How to spot a fake PayPal email in the past and it was well received. Today, I received an improved version of another PayPal phishing attack by email. I think this is another good chance to raise awareness on such attacks and what you should be watching for.

In the past post, we looked at a few clues that gave away the PayPal phishing attempt. The clues in the last email were:

  1. The link in the email showed the url itself that was suspicious.
  2. Once you clicked on the link, the url in the location bar was again suspicious. You should never click on these links in any emails that is from a financial place. More about it to follow.
  3. Some odd looking characters in the web page that were out of place.

Fake Paypal Email

As you could imagine the phishing attempts are getting better and this is what I received this time around.

Fake Paypal email message

As you can see they have gotten better. It looks authentic and they are masking the actual url with an real-like PayPal web address in the email while it is not. It’s aimed at naive Internet users and I am sure you know better than to click on it. if you were tempted, there are 2 things that should warn you before you enter your information. Again, remember it’s best practice not to click on the links in any of these emails but just go directly go to the site you have bookmarked.
Here are a few clues that should warn you:

Clue 1: Email address

It is very easy to spoof an email address and make it look like an email came from someone else. But, they didn’t do that either and the from address of this email was from: paypal@securesuite.net and not a paypal.com address.

Clue 2: Link address

Even though the web address you were about to click on has the words paypal.com, it is actually linked to something else. You could see this by hovering your mouse over the link and looking at the status bar of your browser. Or if you were just click-happy and had clicked on the link in the email, one glance at the location bar in your browser will show that the actual url you are at is:

http://lpdutest.com/www.paypal.com/cgi-bin/us/security/update-paypal/service-peyment/login.aspx/webscrcmd=_nav=0/

As you can see, it is very easy to mistake this for being at paypal.com as you see the words, www.paypal.com in the address. But, you are actually at http://lpdutest.com and about to give away your hard earned money to someone there.

Clue 3

There isn’t a clue #3 this time. They have been so meticulous in forging PayPal’s site as you can see below. There aren’t even little details that have been forgotten.

Fake Paypal site

The language change option wouldn’t have worked if you tried but even that’s not enough to raise an eyebrow.

Don’t Click the links in the email

As you can see, once you have missed the first 2 clues which is going to get harder as the phishers get smarter and find new ways to fool us into thinking that the email is from PayPal, there is no turning back.

But, if you get into the habit of consciously avoiding clicking the links in such emails, there is no way they can scam you. Their whole scam relies on the email recipient clicking on the link.

Use a Modern Browser

If you are still using an antiquated browser like Internet Explorer 6, this is a good reason to upgrade now. Any modern browser would warn you against reported phishing sites leaving you a little bit safer. But, only after someone reports about the site. So, it’s not 100% protection but better than nothing.

When I received this email yesterday and I clicked on the link, there was no warning but this morning, Firefox 3 warns me that this is a web forgery attempt.

Firefox Phishing Warning

I tested this in Opera 9.5, Internet Explorer 7 and Firefox 3 and they all warned me against this phishing attempt.

This email could come from not just PayPal but even from your bank, credit card or any other financial institution.  Symantec says about 80 percent of brands targeted by phishing attacks were in the financial sector,

Report Phishing Attempts

When I came across this site yesterday, I used the ‘Report Web Forgery’ option in help menu Firefox 3 to report this site. Also, Gmail has a ‘Report Phishing’ option hidden by the more options that you can use to report such emails. (thanks Troy)

As a savvy Internet user, you were probably familiar with this but we all know friends and family who are still oblivious to this fact. So let’s spread the word and help them from getting defrauded.

What do you do when you get such an email?

Update: If you use Gmail, check out the new Gmail Labs feature that helps with identifying phishing emails easily.

Explore Tags: , , , ,

27 Responses to “How to Spot a Fake PayPal Email – Part Deux”

  1. Pavan Kumar@ Personalized mails June 24, 2008 at 9:50 pm #

    And one more thing, paypal mails will be addressed to the name of the addressee. If your paypal registered name is “K”, the addressing will be done for the name of “K” and not anything like dear customer, dear paypal user…. In your case, it is Dear Costumer, I think this is originated from some hong kong, china, taiwan or such regions….[not sure, but they are the ones who make such spelling errors, check ip]

    Pavan Kumars last blog post..Convert your image to ASCII

  2. David Bradley June 25, 2008 at 4:46 am #

    To be honest, I’d just assume anything claiming to come from Paypal is fake and delete it immediately, if they have something genuine to say, there’ll be an announcement on the site itself, which you should visit only by entering the URL in the address bar not by clicking any links.

    David Bradleys last blog post..Giving Obesity the CHOP

  3. Madhur Kapoor June 25, 2008 at 6:36 am #

    Wow, this was good enough to fool a normal user.

    Madhur Kapoors last blog post..USB Drive to Freshen up your Office

  4. K June 25, 2008 at 8:35 am #

    Pavan, that’s a good point. You’d be surprised to know that it was from Culver City, California.

    David, exactly what one should do. Delete the email without clicking on links. Unfortunately, there are still folks who don’t do that.

    Madhur, very true. I hope atleast it made a few of my readers wary of such emails.

  5. David Bradley June 25, 2008 at 9:48 am #

    Banks themselves often break the golden rules of helping their customers avoid phishing attacks. If they were to subscribe to the idea unencrypted smtp email correspondence with their customers is not safe, and spread the word then we would have less concern.

    One thing that users who insist on clicking links do is to put in false login details on the first pass. If the site does not bounce you for entering an incorrect login, then you can be pretty sure it’s phishing bait. A legitimate site would bounce you immediately. One could apply this principle to emails claiming to come from google, facebook, plurk, mixx, anything…

    David Bradleys last blog post..Bird Flu Flap

  6. April@Cheap PDA June 25, 2008 at 9:59 am #

    Once a number of years ago I nearly feel for one of these phishing emails but I’m much more cautious now. It’s kind of a shame because there must be lots of genuine emails I receive where I have just automatically deleted them.

  7. K June 25, 2008 at 5:13 pm #

    David, that’s an excellent idea to use false login details on the first pass. Although I’d prefer to not use the links in any such emails at all but this technique will come in handy if you are not sure if the bookmark to the banking site you have is legit or not. Your linked post is another nice example of this issue and I am heading over there to comment.

    April, you might be missing out on a couple of genuine emails but like David mentioned they should know better than to contact you this way. You are erring on the side of being too cautious which is the best approach towards security in the Internet, imho.

  8. Pavan Kumar@ Individual personal mails June 25, 2008 at 9:11 pm #

    @K

    That’s a surprise for me… I think you might have got mails from different bank managers/officers who would like to share a grand amount of likely 20 million dollars in some ratio…. Such ones usually have lots of spelling errors and originate from the above said sources….

    Pavan Kumars last blog post..Rename multiple files in windows

  9. Mark Sierra at MeAndMyDrum.com June 26, 2008 at 1:18 am #

    Nicely done, K! I haven’t received this one yet, but have been seeing them getting more sophisticated in their presentation. Shame too, because all that effort is wasted on evil.

    Stumbled!

    Mark Sierra at MeAndMyDrum.coms last blog post..What Kind Of Sales Copy Ticks You Off?

  10. David Bradley June 26, 2008 at 2:52 am #

    Another aspect of phishing that is rarely mentioned, and as it happens rarely seen is the idea of a phishing attack from an organisation or system such as AdWords or Amazon. How easy it would be for a phisher to hijack someone’s account on any of those systems where there are fewer safeguards and passwords than with one’s bank account.

    It even occurred to me that someone could spoof a “you have sold” email from amazon and con someone into shipping goods to a PO box from their marketplace account.

    David Bradleys last blog post..Bird Flu Flap

  11. K June 26, 2008 at 8:48 am #

    Mark, thanks buddy! There is no dearth of people who get off by being on the wrong side of the law. Appreciate the stumble! :-) David, I can’t agree more on that with you. In fact, even phishing attempt at Gmail or Yahoo Mail accounts which is where most people tend to have their registration information for various websites and most sites send you a reset password email. Amazon is another great example too. Maybe the phishers haven’t gotten up to speed with these low lying targets but lets not alert them shall we? :wink:

  12. Rick NHS@NHS Real Estate Blog June 26, 2008 at 9:33 pm #

    I laugh every time I receive a PayPal email, because the PayPal account I use is a company account and has no associated with me directly.. But a couple days ago a fake Amazon email arrived that almost tricked me, fortunately I realized it was fake before using their login link (by going directly to Amazon.com and logging in there, where I realized there were no messages or errors on my account).

    These jerks are tricky though, they disguise the return email address, and have landing pages that are almost exactly the same as the real website’s landing page.

    Rick NHSs last blog post..Permian Basin Home Sales Up

  13. Tim@antique Amish quilts June 26, 2008 at 10:13 pm #

    This has really spooked me. I might have fallen for that one, and wasn’t aware there was anything that sophisticated to look out for. I always clicked the links in emails before, but no longer. Thanks for the heads up.

  14. K June 27, 2008 at 9:43 am #

    Rick, they sure are and it’s only going to get worse as time goes by. Their methods will become elaborate. This is the first time I have heard about an Amazon phishing attempt as David Bradley pointed out. As long as we go to the website to login instead of clicking links in the email, we should be ok.

    Tim, you are very welcome. I am glad you found it informative. :-)

  15. Peter Answers June 29, 2008 at 9:40 pm #

    This is a helpful post, thank you. It is amazing how many times I get spam from someone trying to pretend they are PayPal, or EBay or others. I think a lot of people that are not savvy will fall for it.

    Peter Answerss last blog post..Peter Answers Transcript

  16. David Bradley June 30, 2008 at 4:21 am #

    I’m not sure that Amazon phish has ever happened. One thing I nearly got caught by was clicking a link from AdWords…thankfully it really was from AdWords so I wasn’t phished, but I’ve since since AdWords phish (I no longer use the system), so even the aware can get caught…

    db

    David Bradleys last blog post..Lighting Up Genetic Disease

  17. technoob July 3, 2008 at 3:47 am #

    I never knew of firefox 3 browser capability of identifying a forgery site. This can be the only best defense of get scammed. The email address not showing ….@paypal.com cannot be quite obvious. Also the language option cannot be too. I might think that the site is broken or something else. Hovering the mouse over the link can be render useless is the scammer uses a javascript text to hide the link. Thanks for enlighten us about paypal scammer.

    technoobs last blog post..Firefox is bestowed with download record by Guinness

  18. K July 3, 2008 at 9:55 am #

    technoob, you are very welcome! It’s good to see the security features being added in all modern browsers not just Firefox. But, there will always be new threats so it’s best to stay informed and how to protect ourselves.

  19. Abhinav Singh July 9, 2008 at 11:01 am #

    Nice post, well I recieved an email yesterday itself asking me to update my card information as it has been deactivated and finally realized its a phishing site.

    Read more and see the screen shots of the same here:

    http://abhinavsingh.com/blog/2008/07/fake-email-from-paypal-cloned-sites/

    Abhinav Singhs last blog post..Fake Email from PayPal Cloned Sites

  20. Raj Krishnaswamy @ thermal spray August 4, 2008 at 3:08 pm #

    Good post. Many times the problem people have is they are in such a rush to read through their e-mails that they do not pay attention to the details as you have pointed out to be watched out for. I take plenty of time to scan through and if something looks suspicious, I put off reading it until later when I get a second chance at evaluating the source. Thank you for all the notes.

    Raj Krishnaswamys last blog post..Thermal Spray Jobs

  21. Robin August 21, 2008 at 2:00 pm #

    Yup- as a general rule, be suspicious of every email that asks your for your personal information.

  22. Andy@Send Fake Mail August 26, 2008 at 2:02 pm #

    Its really easy to send fake emails from websites such as http://fakesend.com

    Always make sure you look at the header of every email when opening emails you think are potentially spoofed, and when in doubt, just go straight to ebay.com or paypal.com

  23. Ivis December 17, 2008 at 8:41 am #

    Wow. I got a email from my local back. i rang them and they said no such thing had happened. the email is stated.

    Dear [bank name] customer.

    we are sorry to inform you that your transaction for the [Date] Had been a fraud and we request you to go to the following link [Link Removed].

    Your security is our saftly.

    regards

    [Bank Manager] hell how i know th wname of the manager.

  24. Jan the fish March 16, 2009 at 8:42 am #

    In fact I like such emails. I always open these URLs to see if they copied the entire layout or if something is missing. :)

    In the past I also received emails (from some retards, of course) in broken Slovak (I’m from Slovakia) or Czech that I should login to my bank account (some Slovak or Czech banks). It was funny how these spammers even didn’t translate the email manually, but instead they used some automated translator that left plenty of grammar errors.

    It’s fun when you know what it’s about.

  25. Youssef November 7, 2009 at 6:30 am #

    Some users are not that advanced to look at headers. Services like fakesend and http://hoaxmail.co.uk can indeed fake the sender’s email but when it comes to PayPal, it’s easy to detect fraudulent emails:

    - Paypal never uses ‘dear client’, they always use the name YOU REGISTERED with them.
    - Simple don’t click links or when you do, ensure that the URL is http://www.paypal.com and if it’s a log in page, ensure that the connection is secure (starting with https:) and often the browser’s address bar will appear yellow.
    - If you’re really in doubt, simply forward a copy of the email you received to paypal to confirm it’s indeed from them.

    That would do the trick:P. No need to look at headers:D
    .-= Youssef´s last blog ..FarmVille Coin / Exp Hack =-.

  26. jocuri November 22, 2009 at 12:51 pm #

    Very useful post, i always find the spamer ip / domain and report it to the authorities and also to his hosting provider.

Trackbacks/Pingbacks

  1. How To Spot a Fake PayPal Email | ShanKri-la - June 24, 2008

    [...] received a second PayPal phishing attempt and you can read it about it [...]

Leave a Reply