Previous month:
October 2014
Next month:
December 2014

November 2014

Is it spam? This week in PayPal account lockout scams

This week's "Is it spam?" features a spampaign that attempts to lure a PayPal user to a phishing web page with a notification that her PayPal account has been suspended. When the victim visits the link, she is presented with a fake PayPal page and asked to log in. Scammers collect PayPal usernames and passwords at such sites and thus gain control of the PayPal account and the means to transfer or use any funds in or linked to the PayPal account.

This week's scams contain Subject: lines to cause you worry, such as:

Security Process!

Your account is temporarily Limited.

Paypal2The first sample on the right shows a message body with some obvious clues that the email is bogus:

  • poor formatting or spacing,

  • typos (PaY Pal, Pay PaL), and

  • spelling errors ("desactivated").

 

Paypal1A second sample shows that some scammers are more careful in composing phish email messages. Read quickly, the message appears to be well written. It is, however, more colloquial than legitimate PayPal correspondence. For example, it repeats explaining that "We need a little bit more information." The item list begins with an embedded link to the phishing page ("Click Here").  The image included is not an official PayPal logo.

What can we conclude?

The message body can sometimes appear convincing. So try this: don't start by reading the message; instead, look first at the sender email address.  PayPal correspondence always comes from the domain paypal.com. It may come from subdomains like e.paypal.com - but look carefully at the domain: if you see anything other than paypal dot com - other letters or numbers or hyphens - don't trust the message and don't visit any links embedded in the message. If you have any nagging concerns, type paypal.com directly into your browser's address bar and log in from a page you visit directly. 

Sometimes, we can identify an email as a scam by what is missing, i.e., information that the genuine PayPal includes in email that scammers may overlook: 

  • PayPal addresses you by your full name, e.g.,
    Hello David Piscitello
    Scammers are not typically able to include unique identities in spam messages.

  • Mail from PayPal will always contain a Message-ID of the form
    Message-Id: <1410855524.17764@paypal.com>
    A peek at the mail headers from the above spam reveals a non PayPal Message-ID
    Message-ID: <149a1b23547.2a10.fb207@ismtpd-029.sjc1.sendgrid.net>
    Message-ID: <b7267e53f9b80e2386f3852b36d773ae@sebdx.musuqrentacar.com>

     
  • PayPal text links always spell out the complete URL and never hide behind text like Click here.

  • PayPal includes a Copyright statement in customer correspondence, of the kind:
    Copyright © 2014 PayPal, Inc. All rights reserved.
    PayPal is located at 2211 N. First St., San Jose, CA 95131.
    Scammers often fail to include this.

  • PayPal includes a template ID, a unique identifier, in each email, e.g.,
    PayPal Email ID PP120
    Scammers often fail to include this.

  • PayPal always includes a "Please do not reply" statement, e.g.,
    Please do not reply to this email. We are unable to respond to inquiries sent to this address.
    For immediate answers to your questions, visit our Help Center by clicking "Help" located on any PayPal page or email.
    Scammers can't include this if they intend for you to reply by email.

The best of scammers may include some of this information, and over time, PayPal may alter its own message composition, so do not rely exclusively on these telltales but instead, pay close attention to the sender, keep familiar with correspondence the genuine PayPal sends to you so that you can adjust your telltales if necessary, and use telltales to reduce your likelihood of falling victim to a PayPal phishing scam. 

One last point. PayPal implements a number of security checks to determine whether a user is the authentic customer or an imposter while an account is in use. If PayPal determines that a customer's account was accessed without permission, PayPal will help resolve the problem and if eligible, cover 100% of fraudulent transactions.

 


digital defense (presentation)

On November 3, I participated in a panel at the Munich Security Conference, entitled Digital Defense: from prevention to resilience.  I had to prepare an invited talk for the Lebanon Internet Center (LINC) on November 5 so I collected thoughts that had been banging around my head following this and a similar panel for an OAS/IDB event but hadn't shared outside these venues.  

You can also download digital defense: my $.02 here.