Yet Another PayPal Phishing Attempt

This one looks, on the surface, quite convincing.

This morning, I got the following message that appeared to be from PayPal in my inbox:

Another PayPal ScamDear PayPal Customer,

You have added andrew1987 @btconnect.com as a new email address for your Paypal account.

If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your Paypal account.

NOTE: The form needs to be opened in a modern browser which has javascript enabled (ex: Internet Explorer 7, Firefox 3, Safari 3, Opera 9)

Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

If you choose to ignore our request, you leave us no choice but to temporary suspend your account.

Sincerely, PayPal Account Review Department.

As shown in the accompanying screenshot, the message included all the usual PayPal logos and even a VeriSign Identity Protection logo. (What good is a logo like that if it’s so easily stolen and reused by scammers?) Of course, it was from an address at ppal.com (not paypal.com) and it was addressed to “Dear PayPal Customer” instead of my name. That’s a dead giveaway that the message is not real.

Of course, there was an HTML file attached. Opening the file in a text editor — not a Web browser! — showed HTML code with a JavaScript that would, among other things, collect your PayPal name, password, date of birth, and mother’s maiden name. I don’t know enough about JavaScript to figure out what would be done with this info, but I can assume it gets sent back to the folks who will then use it for identity theft.

Reading the message offers other clues that it’s fake. For example, although it’s standard for PayPal to send you an e-mail message if you add or change an e-mail account, they make a conflicting request. First, they say action is only necessary if you believe your account has been compromised. Then they tell you that if you ignore the request, they’ll suspend your account. That, of course, makes no sense.

But I’m sure that many people would fall for this. After all, it indicates that a stranger’s email has been added to their PayPal account. All the talk about Internet fraud would send a person into panic mode. He’d open the file attachment and possibly go through the process of giving away information about his own account.

You have no idea how much this pisses me off. I know people who have been scammed by emails like this. One of them is an elderly man who had a bank account tapped into and partially drained before he was able to resolve the problem.

I immediately forwarded this message to spoofs@paypal.com — the address you should forward any questionable PayPal communication to.

Please help spread the word among friends and family members who might fall for phishing attempts like this. Tell them that if they get a communication from any company they do business with, they should log into their account the usual waynot by clicking a link or opening a file attachment in the message they receive.

September 3, 2011 Update:

Thought I’d mention another version of this scam. Here’s the message that arrived today:

Dear Customer,

You sent a payment of 40.90 GBP to Mobile Top-up Online
(sales@topups247.com)

If you have questions about the shipping and tracking of your
purchased item or service, please contact the seller.

Please download the document attached to this
email to cancel or forward your purchase.
————————-

Merchant
Mobile Top-up Online
sales@topups247.com
Instructions to merchant
You haven’t entered any instructions.

Shipping address – Unconfirmed
United Kingdom
Postage details

Of course, this one came with an HTML attachment, too. It’s named “PayPal Refund.html” and, to someone who isn’t actually thinking, it might seem like something worth double-clicking to fix the perceived incorrect charge.

Don’t get scammed.

November 21, 2011 Update: They’re now doing the same thing with the name sarah@comcast.com.

11 thoughts on “Yet Another PayPal Phishing Attempt

  1. I am so stupid, I fell for this, as my laptop was recently stolen and I thought the person had tried to access my Paypal. I went on and deleted my account, but I did fill out the attachment with my SS number and address, not bank info. What should I do?

    • I’m so sorry to hear this. Unfortunately, I really don’t know what you should do other than to keep a sharp eye on all your bank and credit card accounts. In about a month, get a copy of your credit report to see if there’s any new accounts on it. (I wrote about how you can get a free credit report here; don’t use the service that advertises on TV because they will charge you.) If there is, you’ll need to work with the authorities to close those accounts and try to track down the perpetrator.

      Hopefully someone else who reads this can come up with more substantial advice. Be wary, however, of organizations that make you pay to check and clean up your credit. Good luck.

    • But how did you change your password? Using the link in the mail, or logging in via http://www.paypal.com?
      If changing your password using the link in the (phising) mail, then it is to no avail, and your account info has been compromised.

  2. Thanks so much for this info…

    I’m not really sure why but I found it a little suspicious that someone added the email to my account… i was in the process of entering my info when i decided to google the email address and see if I could find out who the person was or why they were accessing my account. BOOM, found your site and I’m So glad i did! After reading your article I checked my old mail folders in my business email and found that you’re right! Paypal always uses my name and never says any of the things about suspending my account or that I have to have java installed in order to use one of their forms… also paypal sites start with “https://www.paypal.com/” the form’s URL starts with “file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/Personal_Profile_Form_-_PayPal-1.html” and is unverified even though they show the Paypal Icon in the corner. Obviously not a pert of paypal…

    Also, They have changed their name from PPAL to PayPal… so be CAREFUL!

    Thanks AGAIN, May have saved my business…

    • Oddly, most of the folks who have found this post have done so by searching for that email address. Glad to be able to help prevent more computer crime. Please do spread the word.

  3. Hi, Maria
    Ijust received a suspicious e-mail. So, I opened up my pay pal account and found out that we can send the message back to them to spoof@paypal.com.mx. This is my address for Mexico where I live. What you need to do is go to your pay pal account and look for the link where you can find an e-mail like that.

  4. Thank you so much for your info. I received the email about the email added to my paypal acct. I decided to google the email address and found your posting. Thank you so much!!!

What do you think?