I consider myself pretty web-savvy and spam/hoax-aware. Today I very nearly got fooled into giving my PayPal information to some shady characters.
This morning I got an e-mail from PayPal — or so I thought. It looked nice and branded, no spelling or grammar mistakes, security warnings telling me not to give my password or anything to anybody, and even a link inviting me to go and see PayPal’s Security Tips page. It was just asking me to login on the site and check my data there (that’s what I understood then, re-reading it now, it says they will verify the information I have entered, which is much more fishy).
I had already made a mental note of one of the PayPal warnings, which is to not trust any other site than https://www.paypal.com/ (I’m not linking it so as not to encourage you to click on links which seem to point there — you’ll understand why in a minute). Now, remember this was early morning for me (don’t you also check your e-mail in the morning?). I clicked on the login link, and noticed the browser was sending me to a website identified by an IP address (22.214.171.124 in this case). I stopped everything, and clicked the nice blue link that said https://www.paypal.com/us/cgi-bin/cmd=profile-update. The login page looked furiously like the real PayPal login page, and I was about to login with no second thoughts when I noticed the name in the browser bar was http://www.ssl2-paypal.com/support/update.html — not the link I had clicked on!
I had seen this address before, in another “PayPal” e-mail I had got a couple of weeks back. Already then they had managed to fool me, even though the e-mail was less well crafted than this time. I smelled a rat, so finally typed https://paypal.com/ in my browser and logged in there. Nothing special happened.
I dug out the previous e-mail, slightly worried now. You see, although I had been suspicious about this first e-mail, I do remember that I had logged in somewhere. But to this moment I’m not sure if I logged into the fake website or if I had the sense to point my browser to the real PayPal website myself before logging in. I think I did, I hope I did, and in any case I just checked my account for fraudulous activity and changed my password. The first e-mail was really bad, but I was convinced enough that it came from PayPal to forget about it, just making a mental note that their copywriting was really really poor.
This made the second scam e-mail seem all the more real: when I got it, I thought “oh, so that last e-mail must really have been a fake, this is what a real one looks like.” Poor unsuspecting me.
At this point, I still thought the second e-mail was a “real” one, but that the ssl2-paypal people had someway managed to hack a redirect on the official PayPal site. I hadn’t looked at the e-mail source yet, see?
Anyway, I decided to report the first e-mail I had received.
Coming back home at the end of the day, I had an automated response from PayPal regarding my complaint. It again stated all the security measures to take, in particular the one about always typing https://paypal.com in your browser. And I thought: “you doofuses, you had better stop putting clickable links in your e-mails if you want people to get used to typing the address!”
I was going to respond to them with a more politically correct comment in that direction when I went to have a second look at the e-mail (which, I remind you, I still thought legitimate) I had got in the morning. And that is when I realised that the beautiful blue link was in fact a fake link, disguised as a real one. You can put anything in the href attribute of an achor tag — the catch here is that their link looks a lot like the blue links e-mail reading programs create when they encounter plain-text URL’s.
So, there we go. I was nearly caught by those not-that-dumb spammers. Remember the golden rule:
Always TYPE the address in your browser, don’t CLICK on links in PayPal or other e-mails.
- Links in New Windows: Websites vs. Applications [en] (2011)
- Getting Rid of www [en] (2006)
- WordPress wp-login.php Problem [en] (2004)
- Getting Meals Back Under Control [en] (2014)
- Slow SSH Login from MacBook [en] (2006)
- Flickr and Dopplr: the Right Way to Import GMail Contacts [en] (2008)
- Extracting Web Apps From the Browser: Fluid and Prism [en] (2009)
- Flying Home Tomorrow With Easyjet. Or Not? [en] (2006)
- Response to Yvette: Loving Links in Posts Through Tabbed Browsing. [en] (2006)
- Eat.ch and Hundreds of Placeholder Sites? [en] (2013)
10 thoughts on “Paypal Scam Nearly Got Me [en]”
Yep; they’re getting trickier all right. They are now taking advantage of a rather nasty flaw in Internet Explorer that allows them to present fraudulent URLs in the status bar, so even if you check where the link goes to, you can’t always be certain.
Fortunately, I haven’t seen a Linux browser yet that is fooled by this …
Incidentally, Evolution 2.0 now displays the link target in the status bar, too; a much wanted feature, and I’m hearing that there’s an effort underway to port it over to Windows as a nearly native application.
What about using GnuPG to make sure that the e-mail is not faked ? SMTP is not a secure protocol, using asymetric cryptography to ensure trust should be relevant to that kind of business, or am I just to geeky here ?
J’utilise aussi Paypal, merci pour toutes ces infos, vais rester vigilant.
je croyais qu’avec les macs ça ne marchait pas, tu n’utilises pas safari?
Tu croyais que quoi ne marchait pas? Rien ne t’empêche sur un mac de cliquer sur un lien “déguisé” dans un e-mail html, et de donner ton nom d’utilisateur et ton mot de passe à un site qui n’est pas celui que tu crois, si tu ne vérifies pas attentivement ce qui est écrit dans la barre d’adresse… Ce qui a failli se passer pour moi.
Merci pour cet article. J’avais tout oublié des consignes de sécurité et je viens tout juste de recevoir un courriel de paypal me signalant que ma CB arrive à expiration et qu’il me faudra mettre à jour mes infos ! Après vérifications ça vient bien de chez eux. Un instant je ne savais plus que croire !
thanks for writing about your experience, stephanie! it’s so hard to tell what is real in this world anymore. 🙁 if it’s okay with you, i’d like to link to this thread from my blog.
Yep; they're getting trickier all right. They are now taking advantage of a rather nasty flaw in Internet Explorer that allows them to present fraudulent URLs in the status bar, so even if you check where the link goes to, you can't always be certain.
Fortunately, I haven't seen a Linux browser yet that is fooled by this …
Incidentally, Evolution 2.0 now displays the link target in the status bar, too; a much wanted feature, and I'm hearing that there's an effort underway to port it over to Windows as a nearly native application.
J'utilise aussi Paypal, merci pour toutes ces infos, vais rester vigilant.
Quand Stéphane Gigandet vivait encore au states, j’ai payé mon abo par paypal. Ensuite il m’est arrivé la même chose que toi. Sauf que chez Yahoo, le mail est apparu dans ‘Bulk’. J’ai supprimé aprés verif. Thanks a lot for the informations and have a nice day 🙂