Is it Spam?

Is it spam? This week in PayPal account lockout scams

This week's "Is it spam?" features a spampaign that attempts to lure a PayPal user to a phishing web page with a notification that her PayPal account has been suspended. When the victim visits the link, she is presented with a fake PayPal page and asked to log in. Scammers collect PayPal usernames and passwords at such sites and thus gain control of the PayPal account and the means to transfer or use any funds in or linked to the PayPal account.

This week's scams contain Subject: lines to cause you worry, such as:

Security Process!

Your account is temporarily Limited.

Paypal2The first sample on the right shows a message body with some obvious clues that the email is bogus:

  • poor formatting or spacing,

  • typos (PaY Pal, Pay PaL), and

  • spelling errors ("desactivated").


Paypal1A second sample shows that some scammers are more careful in composing phish email messages. Read quickly, the message appears to be well written. It is, however, more colloquial than legitimate PayPal correspondence. For example, it repeats explaining that "We need a little bit more information." The item list begins with an embedded link to the phishing page ("Click Here").  The image included is not an official PayPal logo.

What can we conclude?

The message body can sometimes appear convincing. So try this: don't start by reading the message; instead, look first at the sender email address.  PayPal correspondence always comes from the domain It may come from subdomains like - but look carefully at the domain: if you see anything other than paypal dot com - other letters or numbers or hyphens - don't trust the message and don't visit any links embedded in the message. If you have any nagging concerns, type directly into your browser's address bar and log in from a page you visit directly. 

Sometimes, we can identify an email as a scam by what is missing, i.e., information that the genuine PayPal includes in email that scammers may overlook: 

  • PayPal addresses you by your full name, e.g.,
    Hello David Piscitello
    Scammers are not typically able to include unique identities in spam messages.

  • Mail from PayPal will always contain a Message-ID of the form
    Message-Id: <>
    A peek at the mail headers from the above spam reveals a non PayPal Message-ID
    Message-ID: <>
    Message-ID: <>

  • PayPal text links always spell out the complete URL and never hide behind text like Click here.

  • PayPal includes a Copyright statement in customer correspondence, of the kind:
    Copyright © 2014 PayPal, Inc. All rights reserved.
    PayPal is located at 2211 N. First St., San Jose, CA 95131.
    Scammers often fail to include this.

  • PayPal includes a template ID, a unique identifier, in each email, e.g.,
    PayPal Email ID PP120
    Scammers often fail to include this.

  • PayPal always includes a "Please do not reply" statement, e.g.,
    Please do not reply to this email. We are unable to respond to inquiries sent to this address.
    For immediate answers to your questions, visit our Help Center by clicking "Help" located on any PayPal page or email.
    Scammers can't include this if they intend for you to reply by email.

The best of scammers may include some of this information, and over time, PayPal may alter its own message composition, so do not rely exclusively on these telltales but instead, pay close attention to the sender, keep familiar with correspondence the genuine PayPal sends to you so that you can adjust your telltales if necessary, and use telltales to reduce your likelihood of falling victim to a PayPal phishing scam. 

One last point. PayPal implements a number of security checks to determine whether a user is the authentic customer or an imposter while an account is in use. If PayPal determines that a customer's account was accessed without permission, PayPal will help resolve the problem and if eligible, cover 100% of fraudulent transactions.


Is it Spam? This week in Amazon Credit Card Rewards Scams

Amazonscam1Many brands offer credit card rewards programs. This week's "Is it spam?" features a spampaign that attempts to attract mail recipients by offering them a reward or card voucher if they visit Amazon. These emails appear to be variants of a earlier phishing attack that seek to extract personal or account information when you visit the link. 

This week's scams contain Subject: lines include:

Your Amazon bonus code - AR841D0018

An thank you

A similar spampaign targeted sams club [sic]:

Ready to print - your Sams Club rewards dollars

Your complimentary shopping voucher is here

Amazonscam2Bayesian Poisoning, this time in hidden text

In our last "Is it Spam?" post, we looked at a blundered attempt to use hidden text to poison Bayesian filtering. This week's spammers managed to get set HTML font and background colors correctly to hide text. Spam investigators discover this by examining the raw or source email. You can see this source in most email clients. Gmail users, for example, can select "Show original" from a pulldown menu when they view a message:








By opening the source email and stripping colors we can see the text that's hidden here to poison filters. I've set the text color to red for illustration purposes. If you are keen of sight, you may notice some tiny red at the top of the message: this is poisoning text as well, but for some reason (overkill?), the font size is set to 2 point.

I'd like to thank this and last week's phishers for providing teaching moments in such proximity. Hidden text, blundered or not, is a tell tale of a spam or a phish. As always, you are most safe when you STOP. THINK. CONNECT.