Handy tip: PayPal doesn’t send monthly account statements via email. Or notifications. But what if you do get a “May Account Statement” and click on the link?
With millions of users and a completely web-based interface that makes it easy to log in and execute transactions from anywhere in the world, there’s probably no juicier target for hackers and cyber-criminals than PayPal. Even if the average account just has a few hundred dollars in it, if the bad guys can come up with a scheme that lets them zero out hundreds — or thousands — of accounts, they can make a lot of money in a very short amount of time.
That’s why you have to be more vigilant with PayPal than even your more traditional bank, whether you bank with Chase, Wells Fargo, Bank of America, or anyone else, because it’s a darn nice target. Of course, if you’ve taken my advice already and set up two-step verification, you’re a lot safer because even with your purloined password the bad guys won’t be able to get into your account without access to your cellphone for that all-important second data point. [see How to Set up 2-Step Account Verification for PayPal right now if you don’t already have this set up!]
Now, let’s have a look at this bogus email, what’s called a “phishing” scam in the industry. It shows up in your inbox and on first glance seems legit:
Of course, there is the weirdness of them notifying me that my May statement is available in February, but let’s say that they’d spent just a tiny bit more attention and it had said that my January statement was available instead. Are there any other clues that it’s a bogus message?
Not really. Which is why you need to be vigilant!
Dig in, however, and you can identify that there’s something, umm, fishy going on. Since I’m looking at this in Apple Mail, moving the cursor over a link shows the destination URL, and that’s definitely not right:
Not only am I 100% sure that PayPal isn’t using “contactsupport.com” as its primary domain, but it’s not even that domain anyway: They spelled “support” with only a single ‘p’, which is yet another level of suspicious.
But let’s say you messed up and clicked on the link because you weren’t paying attention.
Then, again, you get somewhere that looks quite legitimate on first glance:
It’s so current a clone of the real PayPal home page that it even references their Super Bowl commercial. Alarming. But look closer at the address bar and what do you find missing?
The symbol that indicates it’s a secure SSL site with a valid, signed certificate identifying it as the real PayPal.com. Indeed, that’s why we have the security certificates, to help identify the real company versus the many clones and rip-offs!
Any time you’re about to enter credentials of a personal nature on any web site, you should look for at least an SSL (“https”) connection, but if it’s banking or anything of that nature, it should be a named certificate too, proving that the site is run by the company you think it is. Not sure? Restart your browser and type in the domain name of your institution rather than trusting any link in any email or on any third party web site!
But let’s assume you went further and clicked on “Log In”. What happens?
So that’s really a worst case scenario because there have been a lot of red flags along the way that should prevent you from getting here, and, of course, if you have two-step verification turned on (and you do now, right?) even entering your real credentials here wouldn’t be the end of the world.
But if you do log in on a phishing site with your real account and password, all it’s going to do is either prompt you to log in again (sometimes bouncing you to the real site at this point) or put up a message asking you to wait 30 minutes and try again, while they log in (or have a program that logs in) and transfer all your money to a shell account that then sweeps it into another account, on and on until it’s lost in the windy trails of international banking.
Which would really suck.
Your best defense is always vigilance, but if you do find yourself signing in to a site and then suddenly being anxious it wasn’t legit, don’t panic. Restart your browser, type in the URL of the site, log in and immediately change your password.
I hope this helps people avoid being ripped off!