How to detect high-risk PayPal PhishingEmailsAuthor: Conative Business Inc. (05/22/2010)Today I received this email from firstname.lastname@example.org with the subject: "Your PayPal account has beenlimited". It was marked with "High importance".It sounds serious, doesnt it? Ive seen many PayPal phishing emails before, but this one looked reliable.The sender email address looked legitimate: email@example.com, unlike popular phishing sendersstyle such as: firstname.lastname@example.org (this is an example email address)I opened the email and saw the PayPal logo. On the right, there was a box "Protect your account info"with a valid link to http://ww.paypal.com, that even provided "Security Tips" at the secured link:https://www.paypal.com/us/securitytips.Figure 1: This email seems to be reliableWait a minute! This email was sent to the email address email@example.com. But I have noPayPal account associated with this email address! Something is wrong.Also it said "Dear Paypal member". It did not have my name, or my business name. This is evidenceof phishing. PayPal always starts its emails with "Hello [Name]" or "Dear [Name]".
I found the activation link, scrolled mouse over it, and the real hyperlink popped up: (this is a MS Outlookfeature). Important: I did not click on the link. Figure 2: The activation link is fraudulentThe link actually pointed to http://tosuper.com/blablabla, not PayPal. It took me another 5 seconds toGoogle this hyperlink, http://topsuper.net, and figured out it is 100% phishing. This phish was reportedon May 21, 2010. A new-born baby phish! Figure 3: This is a verified phish
By the way, a friend of mine also received this email on the same day:------------------From: PayPalTo: firstname.lastname@example.org (real email address has been changed)Sent: Fri, May 21, 2010 2:44:03 PMSubject: Customer NoticeDear PayPal Customer,Your online account has been locked due to unusual activity.Please click to unlock your account, and continue using PayPal services.-----------------This email was sent from email@example.com. It is NOT firstname.lastname@example.org, so you can quicklyknow to be careful.PayPal always includes your name. It should never read "Dear Paypal Customer".The hyperlink "click" led you to http://webservice-pp.com. Again, this is NOT authorized PayPal website.What is Phishing? Phishing is the criminally fraudulent process of attempting to acquire sensitiveinformation such as usernames, passwords, and credit card details by masquerading as a trustworthyentity in an electronic communication (Source: Wikipedia).A few take-aways:If you receive an email from your bank, credit card organization, or PayPal, please check the following: * Verify your name: Phishing emails usually start with general names "Dear PayPal member", or "Dearcustomer". * Verify the sender email address: Phishing email addresses are often similar to the organizationemail address, but not the same. E.g. email@example.com v.s. firstname.lastname@example.org. However insome cases, phishing can use Fake SMTP to fake the exact email addresses. * Verify the recipient email address (your email): Phishing experts crawl on the Internet for emailaddresses, and sent their messages to all email addresses that they found. If your email address is notthe dedicated email address for your account at the organization that sent the email, it is more than likelyit is a phishing email.
* Prior to logging in, verify the website. The phishing website can look exactly the same as the siteyou want to enter, but will have a different domain. * Finally, if you are still unsure if that is a legitimate site, call the organization to verify.Also, note that PayPal is popular phishing target!If you are not familiar with phishing, you may become a real FISH and lose money. So I hope that thispost has been of help to you and you avoid future problems.For those of you who have additional comments or recommendation, I welcome your feedback!Mike Le