Phishing for PayPal information

Like most people, I get a fair number of junk emails pretending to be from a bank, insurance company, credit card company, or PayPal. This morning I thought I’d check out one of the sites and see what happens. I clicked on a nice looking “PayPal” email (that was sent to an email that wasn’t registerd with PayPal). It told me that there had been some strange activity on my account, and that I needed to confirm my information. I clicked on the link, and it took me While the site was loading, you could see in the status bar that it was loading items from The site looked exactly like PayPal. If you hovered over any of the links, they all took you to PayPal. But the form in the middle of the page didn’t. It was being processed locally (by I “logged” in with fake information, and it worked (obviously, since it doesn’t know what my real username and password are). It then wanted my address and credit card information. I filled this in with fake information as well, and it worked. The last step was that the site tried taking my “login” information and tried to log me in automatically to the PayPal site so that the end result looked legitimate. Unfortunately that didn’t work. PayPal rightfully told me that my username and password were incorrect.

I can certainly see how the less savvy user would be duped. At a quick glance, everything looked good. But here are a few things to consider:

  • The original email was sent to an address I hadn’t registered with PayPal
  • I was taken to a site that wasn’t actually
  • The site was loading things from a non-PayPal site
  • The site was not a secure site (didn’t use https)

If you can’t tell whether an email is “phishing” for information or not, consider the items above, along with the following:

  • If you are concerned about the email, then visit the site yourself without clicking on the email. If PayPal really wants you to verify your account, then when you login, it should prompt you
  • Enter your password wrong the first time you try to login. Although this isn’t a perfect method, generally speaking a real site will tell you you’ve entered a wrong username/password combo. A fake site will accept it because it won’t know better
  • If you’ve entered information and you then think you have been duped, login to the real site immediately and change your password

I know there is software that is supposed to protect you against these sorts of things, but nothing is perfect. Ultimately, you just have to be smart, logical, and remember that major online companies virtually never need you to re-enter information that you have entered previously.

Leave a Reply

%d bloggers like this: