How To Spot a Fake PayPal Email

Can you spot a fake email when you see one? Especially, one that might be trying to steal your PayPal login information.

Here is an email that I received, at first look, from PayPal. It warns me if i didn’t sign in and update my billing information, my account might even be deleted!

Paypal1

As authentic as the email might seem – notice the phishing attacks are getting better, the English isn’t as broken as we would see, there is a big giveaway if you know what you are looking for.

Clue #1:

Look at the URL of the link they want you to click in the email. It is made to look like a AOL.com address but all they are doing is using aol.com to redirect it to a IP address which has paypal.com word in the url.

Clue #2:

If you failed to sense something is amiss in the link, you can still spot a major flaw. After you click on the link in the email, if you looked at the Location bar in your browser, you’ll see the url as http://201.155.199.155/icons/www.paypal.com/managament/cgi/. But, look how identical the web page looks like compared to an original PayPal page.

Paypal2

The URL shows that it isn’t a paypal.com address you are at. You are at some other server that has the words paypal.com in it’s URL. This should send a big red warning signal to you. IP location software points this server to be located at Cordoba, Mexico.

Once you have missed the second clue, it is very hard to turn back after that because they have copied everything from the real Paypal login page except they have their own PHP script behind the login form. All the links in the fake page actually point to the PayPal’s website as is common in most phishing sites.

Here is the fake PayPal login page:

Paypal4

(fake PayPal login page)

Here is the actual PayPal login page:

Paypal5

(actual PayPal login page)

Once you enter your login credentials and hit Login, you have just given access to your PayPal account to someone else.

Clue #3:

There is another subtle clue that may not be apparent. The page has some extra characters that is totally out of place but hard to spot. I don’t know if it’s a typo or carelessness or if it’s a code for the phishers but mostly likely a typo.

Paypal3

How can you protect yourself from phishing attempts?

You might not be using PayPal but there are many phishing attempts everyday at many financial websites such as Bank websites, Credit Card websites, etc. And it will pay to be careful when you access your accounts from emails such as this.

Here are a few things you could do to protect yourself:

  • Look for the clues mentioned above and as you can see they are nothing special but just common sense.
  • If you really believe the email could be a real one, just login to the website from your own bookmark to the website or by typing the web address in the browser instead of clicking the link in the email. By practicing this all the time, you wouldn’t even be vulnerable for that one time when you might be tired or not so alert or sleepy and click the link in an email.
  • Use a secure browser such as Mozilla Firefox, which has a phishing filter and shows a warning when you access a known phishing site. Internet Explorer 7 and newer browsers also have a similar feature so it pays to upgrade your IE 5/6 to newer versions.

If you are Internet savvy, this is all too familiar to you. But, we all know someone who may be unaware that such attempts are made everyday and we should try to educate them so they won’t be caught unawares.

Update: 6/24/08

I received a second PayPal phishing attempt and you can read it about it now.

Update: 7/13/09

If you use Gmail, check out the new Gmail Labs feature that helps with identifying phishing emails easily.

Explore Tags: , , ,

26 Responses to “How To Spot a Fake PayPal Email”

  1. Troy February 11, 2008 at 10:46 pm #

    A good tutorial. Also, in Gmail under more options you can report these as phishing. Hopefully that should help others to avoid the problem, but it’s a hidden feature :)

  2. Mark February 12, 2008 at 3:24 am #

    Two things I’d like to add to that. One is that PayPal and other big name entities won’t be addressing you generically. Second, is not to click on the link at all. It’s too risky in that it could be a drive-by virus or spyware that could be installed onto your computer just by visiting the web page.

    Surprisingly, the phishers made no attempt at fooling their recipients by “hiding” the URL behind the displayed text which could be seen just by rolling your mouse over it like so: http://www.happy-site.com.

    Good eye on the typo text. Could be some sort of graffiti or signature.

    Mark’s last blog post..Reviewing Shimon Sandler, SEO Consultant

  3. K February 12, 2008 at 1:59 pm #

    Troy, that’s a great tip and it sure was hidden for me.

    Mark, you are absolutely right about addressing us. I didn’t consider the virus/trojan possibility and thanks for mentioning that. The phishers of tomorrow are sure to wisen up to things like that and it will pay to educate the folks who are unaware of such attempts at all.

  4. Nirmal February 12, 2008 at 2:14 pm #

    This is really difficult to spot the fake ones, but I think if we closely look at the page, we may find some mistakes.

    Nirmal’s last blog post..Firefox 3 Beta 3 to be Available today

  5. Madhur Kapoor February 12, 2008 at 3:54 pm #

    The phishing attacks are getting better and better . I received a similar type of mail from an account posing as gmail admin. Luckily the IE 7 phishing filter detected it .

    Madhur Kapoor’s last blog post..Super Sunday Links Episode 1

  6. Kyle Eslick February 12, 2008 at 4:33 pm #

    I used to get these all the time, but haven’t had one forever. A couple months ago I was digging through my spam filter and realized Gmail has been saving me. It must have stopped about the time I switched to Gmail!

    Kyle Eslick’s last blog post..How To: Getting a Caricature For Your Blog

  7. K February 12, 2008 at 4:49 pm #

    Nirmal.. that’s true! I guess one has to true train themselves so warning bells start going off when you see an email like this.

    Madhur.. as Mark said it is probably better never to click on links in any email proposing to be from a financial institution where we may have accounts. Firefox detected it too but it failed to prompt a warning 2 times out of 5 and not sure why. But, I wouldn’t have been able to tell the difference unless the url screamed out like in this one because the page was so skillfully mimicked to Paypal’s!

    Kyle.. I got this one in my Gmail last week and I was a little deceived at first look before I got wary! The email got my attention just like it wanted to.. :razz: Gmail does catch a lot of spam and phising emails but this slipped through for me.

  8. Dwayne Charrington February 13, 2008 at 12:45 am #

    I got one of those emails exactly the same the other day. So what I did was create a PHP spam script that submitted fake emails and password that said “**** YOU SCAMMERS”. Obviously without a star to censor it ;) I spammed them pretty I good I think. All I did was get the location of the PHP script it was posting the details to and spam them with some fake details hopefully it will teach them a lesson not to mess with me again.I love having fun with scammers and spammers I always do stuff like that. Sometimes I even try to scam them back :) I’ve blogged about my escapades a few times on my blog actually.- Dwayne Charrington.http://www.dwaynecharrington.comDwayne Charrington’s last blog post..Money bags Microsoft, buys Danger Inc. WTF?

  9. David Airey February 13, 2008 at 6:46 pm #

    Nice tips, K.

    You can never be too safe where your transactions are concerned.

    David Airey’s last blog post..Brochure design for the non-profit Darbar

  10. K February 13, 2008 at 9:08 pm #

    Dwayne.. that’s a great idea and everyone should do that. I think there is already a critical mass of programmers who do stuff just like what you mentioned and hopefully that’ll have a snowball effect. :wink:
    I will check out your blog posts.. thanks for stopping and letting us know.

    David, thanks. That’s very true and I just can’t help thinking ‘not everyone looks for such details before clicking a link in an email’.

  11. Jeanne Dininni February 14, 2008 at 7:48 am #

    K,

    A few other things you can do to recognize a fake PayPal (or other financial institution’s login page):

    Right click anywhere on the page. Then click Properties. When the window opens, check to see whether the connection is encrypted. If it isn’t, it’s not PayPal (or any other secure login page).

    Also, look at the status bar at the bottom of the screen. If it doesn’t contain a little yellow lock icon, the page isn’t secure, which again means it isn’t PayPal. (If the status bar has been completely removed from the webpage, that’s another clue that the website is fraudulent and the scammers don’t want the more web savvy to notice the lock icon is missing.) If the only lock icon you see is somewhere on the webpage itself, the site isn’t secure and is likely fraudulent. While PayPal has a lock icon in its login box, it also always displays one in the status bar.

    If you suspect that you’ve received a phony PayPal e-mail, forward it to spoof@paypal.com.

    I wrote a post a while back about this, which contains a lot more info than I’ve mentioned here. Here’s a link: Warning: Watch Out For Phishing E-Mails!

    Great post, K! We can never point out these scams too often!

    Cheers!
    Jeanne

  12. K February 14, 2008 at 1:32 pm #

    Jeanne, that’s some awesome information. The point about the ‘secure lock’ icon just goes out to show that how little attention it gets just because it’s there always! Also, great tip about forwarding it to paypal. Nice detailed article you have there and I stumbled it! :-)

  13. Jeanne Dininni February 14, 2008 at 8:54 pm #

    Hey, K!

    Thanks so much for stumbling my post! I appreciate that! Don’t know whether you knew it or not, but I stumbled yours after I read it, too!

    Take care!
    Jeanne

  14. K February 15, 2008 at 2:49 pm #

    Jeanne.. yours had a wealth of information I had to Stumble it! Thanks for your Stumble too.. :-)

  15. Jeanne Dininni February 15, 2008 at 9:26 pm #

    Glad you found it useful, K!

    Don’t mention it. I often find your posts Stumble-worthy!

    Jeanne

  16. doorknob60 February 17, 2008 at 5:52 am #

    The BEST way to not get scammed is to use Firefox :) Also sometimes the fake emails use HTML to make the link show up as http://www.paypal.com/whatever but if you put your mouse over it and look in the status bar it shows something else.

  17. K February 19, 2008 at 4:52 am #

    doorknob60.. that’s what I recommend too but Google Analytics shows over 40% of my visitors are using IE! :razz:

  18. Techblissonline Dot Com February 22, 2008 at 12:08 pm #

    yes it is really unfortunate that many continue to use IE…hope the new version of IE will rock…

    Techblissonline Dot Com’s last blog post..Download 32-bit and 64-bit Windows Vista SP1 Enterprise edition

  19. Bobby Revell February 26, 2008 at 8:43 pm #

    Great information! I came here through the Brown Baron. I usually never read PayPal emails as the real paypal doesn’t send emails very often anyway. I must admit they are getting good at faking :shock:

    Bobby Revell’s last blog post..Bobby’s Batch #7 – Blogging Madness

  20. K February 27, 2008 at 3:00 am #

    Hi Bobby.. welcome to ShanKri-la and thanks for stopping by to comment! :grin: That’s true about Paypal emails.. this one did get me interested when I saw the first line warning that the account could be closed. :wink:

  21. Harmony March 5, 2008 at 11:13 am #

    This is very easy. Just access your paypal account from your browser. Don’t click any email links guys! :wink:

    Thanks for the article man, it’s very well written!

    Harmony’s last blog post..The story: PHP Melody 1.3

  22. Stephen Cronin March 21, 2008 at 5:14 am #

    Hi K,

    I’ve had two fake Paypal emails, both different from the one you show above, but with telltale signs. Basically, if they are asking me to go to a URL and login, I won’t. I’ll go to the Paypal site directly.

    I send such emails to spoof@paypal.com (as Jeanne suggests above). In both cases, they’ve gotten back to me quickly to confirm that they were phishing attempts.

    People need to be more aware of this!

    Stephen Cronin’s last blog post..Creating A JavaScript Array Dynamically Via PHP

  23. K-IntheHouse March 21, 2008 at 9:13 am #

    Hey Stephen,

    Great to see you back! Paypal spoofing has to be the most effective as opposed to trying to guess which bank someone in terms of success rate. It’s good to see folks take notice and thanks for all those who stumbled, dugg and spread this post around. It brought in a big wave of StumbleUpon readers and still does now and then when someone stumbles it. :-)

    K-IntheHouse’s last blog post..Friday Fun: Best of Fark Edition & NCAA Scores by RSS

Trackbacks/Pingbacks

  1. Brown Batch #41: Link Love Fiesta » Brown Thoughts - February 24, 2008

    [...] – How To Spot A Fake PayPal Email As authentic as the email might seem – notice the phishing attacks are getting better, the English [...]

  2. How to Spot a Fake PayPal Email - Part Deux | ShanKri-la - June 24, 2008

    [...] had written on How to spot a fake PayPal email in the past and it was well received. Today, I received an improved version of another PayPal [...]

  3. ShanKrila’s Best of 2008 - Your Version | ShanKri-la - December 31, 2008

    [...] 2008 – How to Spot a Fake Paypal Email (25 [...]

Leave a Reply