Email Says I Need to Update my PayPal Account?

There are a lot of scammers on the Internet, and not all of them are dorky kids working in the basement, trying to trick you. Some of them are large scale criminal organizations – some even funded by government agencies – seeking to steal your identity or otherwise cause widespread mischief. As a result, so-called “phishing” attacks are getting more and more sophisticated, requiring us online citizens to become smarter and more skeptical both.

Scammers and con men have been around since the dawn of time, but the online world brings a dramatic boost in overall efficiency that makes their jobs considerably easier and now instead of trying to trick the dozen or so people gathered around their wagon in the marketplace, they can reach out to thousands of people from a single device.

All of this is to say that you need to be more skeptical. If you click on a link and go to a site unrelated to the vendor (including when you look at the domain name of the landing page!) you need to ask yourself is this legit? Odds are, it isn’t. Next time, you need to really do your homework before you click on the link because what if it had looked legit? Would you have entered your account and password, trying to log in?

Let’s look more closely at a similar “PayPal” email I received:

At first glance it looks reasonably legitimate, with the PayPal logo, no obvious typos or misspellings, and a reasonable subject of “Update your account information”. But a closer look can already reveal that it’s bogus: Look at the reply-to address. “servie@hp.com”. Why would PayPal have an email reply-to address within Hewlett-Packard, instead of an @paypal.com address?

But maybe your email program wouldn’t show that item of information. Instead, have a quick peek at the sender email address. In Apple Mail, that’s done by clicking on the tiny down arrow adjacent:

So it not only has an hp.com return address, but it appears to be sent from HP too.

Note: spammers routinely fake origin address, reply to address and similar, so don’t worry that HP has been hacked or that it’s someone at HP doing something criminal.

There’s a much more important link to check before clicking anyway: the URL associated with that big, inviting blue “Resolve” button. Again, in Apple Mail, moving the cursor over a link will show the associated Web page address, and just about every decent email program should have a similar feature. In this case, it’s clearly not going to take you to a PayPal login page:

That’s pretty weird, a page called “pp” within “mobile/styles” on the site “watcvm.org”. Quite likely this is a site that a hacker snuck onto to set up the fake PayPal login page, so they’re not part of this either! As soon as you see a mismatch in domain names, you can safely conclude the email is bogus and delete it. Done.

But let’s say you did click. Often, you’ll get to a login page for PayPal or a similar service that’s completely identical to the real page on the actual site. Duplicating a page is quite easy, unfortunately. Log in on the bogus site, though, and they can quickly hijack your real account and drain it of any money you have therein. They would also gain access to your name, address, phone number, and quite a bit more personal information. Not good at all.

This is a rare instance where clicking on the bogus link doesn’t produce a fake login page, but instead just drops you onto the home page of the innocent, hacked site:

Completely legit site and clearly no association with PayPal whatsoever. Often a lazy admin on a site like this won’t know they’ve been hacked and are the center of a widespread site attack. Oh, and if you think that having a security certificate and being “Secure” on the address bar means an organization is proof that they’re legit…

Notice that anyone can get an SSL certificate. Again, WATCVM is a real, valid organization but there’s nothing to stop bad guys from setting up a bogus site that seems legit, pay for an SSL certificate, and use that as the basis of their next online scam…

Anyway, the real lesson of this experience is be more skeptical. If you get an email telling you that there’s a crisis of some sort with your banking, social media, or other account, check a few items like who sent it and where it’ll take you before you believe it and proceed. Better yet, never click on links in email. Instead, just go directly to the site and log in as you always do.

Be careful out there!