This one looks, on the surface, quite convincing.
This morning, I got the following message that appeared to be from PayPal in my inbox:
Dear PayPal Customer,
You have added andrew1987 @btconnect.com as a new email address for your Paypal account.
If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your Paypal account.
Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.
If you choose to ignore our request, you leave us no choice but to temporary suspend your account.
Sincerely, PayPal Account Review Department.
As shown in the accompanying screenshot, the message included all the usual PayPal logos and even a VeriSign Identity Protection logo. (What good is a logo like that if it’s so easily stolen and reused by scammers?) Of course, it was from an address at ppal.com (not paypal.com) and it was addressed to “Dear PayPal Customer” instead of my name. That’s a dead giveaway that the message is not real.
Reading the message offers other clues that it’s fake. For example, although it’s standard for PayPal to send you an e-mail message if you add or change an e-mail account, they make a conflicting request. First, they say action is only necessary if you believe your account has been compromised. Then they tell you that if you ignore the request, they’ll suspend your account. That, of course, makes no sense.
But I’m sure that many people would fall for this. After all, it indicates that a stranger’s email has been added to their PayPal account. All the talk about Internet fraud would send a person into panic mode. He’d open the file attachment and possibly go through the process of giving away information about his own account.
You have no idea how much this pisses me off. I know people who have been scammed by emails like this. One of them is an elderly man who had a bank account tapped into and partially drained before he was able to resolve the problem.
I immediately forwarded this message to email@example.com — the address you should forward any questionable PayPal communication to.
Please help spread the word among friends and family members who might fall for phishing attempts like this. Tell them that if they get a communication from any company they do business with, they should log into their account the usual way — not by clicking a link or opening a file attachment in the message they receive.
September 3, 2011 Update:
Thought I’d mention another version of this scam. Here’s the message that arrived today:
You sent a payment of 40.90 GBP to Mobile Top-up Online
If you have questions about the shipping and tracking of your
purchased item or service, please contact the seller.
Please download the document attached to this
email to cancel or forward your purchase.
Mobile Top-up Online
Instructions to merchant
You haven’t entered any instructions.
Shipping address – Unconfirmed
Of course, this one came with an HTML attachment, too. It’s named “PayPal Refund.html” and, to someone who isn’t actually thinking, it might seem like something worth double-clicking to fix the perceived incorrect charge.
Don’t get scammed.
November 21, 2011 Update: They’re now doing the same thing with the name firstname.lastname@example.org.