Paypal phishing attempt

Originally uploaded by Moontom

My wife forwarded me this email earlier today as she didn’t know what to do about it. I opened it, and immediately recognised the phishing email. Here’s some of my pointers on recognising phishing scams. Feel free to add some tips in the comments.

Having graded university papers for several years I have solid experience in recognising frauds. The tips I have for recognising a phishing scam are almost exactly the same as for identifying stolen, copied or plagiarised assignments.

It’s from an address at the domain Paypals. Ever heard of a company called ‘Papals’ with an ‘S’ at the end? Didn’t think so.

To field contains my wife’s address, who doesn’t even HAVE a Paypal account. They’re trying their luck.

Subject line: How can it contain information about her account if she doesn’t have an account?
It does contain the official PayPal logo at the top. This is the internet, where you can copy any image. This is not a paper document, it’s not a piece of office stationary. Copying images costs nothing and is easy.

‘Dear user’? O really? If they have her account details, and this email is specifically about her account (as opposed to a mass email), why isn’t the email personalised?

Bad English. ‘…of the PayPal account…’ Using a ‘the’ in the wrong place is a sure sign of someone who’s first language is not English. An out of place definite article should always be one of your clues, and in South Africa with all its diverse cultures we are sometimes used to it being used in the wrong way. Don’t fall for it.

Consistent use of adjectives. Official communication will always use adjectives consistently, in other words either no adjectives or there will be adjectives in front of every noun. In this case the single ‘precious time’ is a clear give away.

Clichés. Similarly to the last point, PR people mostly stay away form bad clichés, or else they over use them in an ironic sort of way, The lone ‘precious time’ cliché here is not only bad writing, it’s a dead giveaway as a professional outfit won’t let something like this to go out to a customer.

Inconsistent arguments. If she has to confirm details to avoid further problems, what were the problems in the first place? None are mentioned, and she didn’t initiate this communication so there were no problems to begin with.

Vagueness. She didn’t state a problem, the email doesn’t mention a specific problem. This whole scam counts on the reader being slightly intimidated and uncertain. Once updated, her account will be updated with additional security. Like what? Why are there no details?

Links. ANY email which ask you t click a link is suspect. ANY email. It;s worth repeating: ANY email. Never, ever, ever click on a link in an email. Even if it’s from your computer guru son/husband/wife/grandmother. Even if (or especially if) the from field has something like Jesus.Christ@heaven.com. Never, ever trust an email with a link in it.

Luckily my wife has a Mac. At this point in her life all of the above are moot, so she can happily click away. And I still give her this speech.

You can also read more about phishing at Wikipedia, or read more tips from Microsoft.

UPDATE: I forgot the most important point: forward the complete phishing email to spoof@paypal.com so they can track it and respond to it. There are discussions about PayPal’s sincerity in this, but still.