I just got an email from PayPal saying that there’s a payment reversal on my account and that I need to log in to explain what happened. But I haven’t bought or sold anything through PayPal in months. Is this legit or some phishing or other scam?
It’s a scam. If it’s like what I received the other day, it’s also an extraordinarily well constructed scam, down to a perfect clone of the PayPal home page and a domain that’s really close to the paypal.com domain. This isn’t some kid putting the scam together in his basement either, it’s very well done.
But you wouldn’t have to worry about it if you follow my basic rule of thumb: Never click on a link in an email message.
This is most important on sites that require you to log in, of course, so a link to the Google home page — or to AskDaveTaylor.com — isn’t anywhere near as questionable. But a link to your bank, PayPal, eBay, Amazon or anything like that is problematic and should be avoided at all times.
Got it? Don’t click.
Meanwhile, let’s step through this phishing scam and see what they’re doing.
To start, here’s the email I received. Probably looks just like what you got:
Everything about this looks good. The email makes sense, it comes from a PayPal address and even has a bunch of complicated numbers that make it seem like it might be a legit issue.
Any decent modern mailer, however, will show you the problem if you simply hover your cursor over the “Remove Limitation” button:
Clearly PayPal Corporation isn’t going to use a URL shortener, so that’s enough for you to say “Yikes!” and delete the message. Right? 🙂
But let’s say you didn’t and you clicked through on the link. The resultant page you get to is oh so well done as a scam page. It’s really a perfect clone of the real Paypal home page:
How can you tell? Well, that’s tricky.
There are two things wrong here. First, there’s no SSL secure site indicator from the browser (in this case, Google Chrome), but if you look really closely at the URL you can hopefully spot the problem:
See it? It’s subtle. On first glance, in fact, I saw “www.payipal.com” and said “Ha!” wrong domain. But look even closer and that’s wrong too, the domain is actually payipal-com-web-apps.cf and the .cf domain? That’s a new one for me too, turns out it’s the Central African Republic, of all places. Definitely not where PayPal is located!
Whether you enjoy putting on your deerstalker and playing detective or just want to avoid problems, it’s always best to stick to my rule: don’t click on links in email.
The Wood Duck address is non exist, it got to be fake PayPal should not transfer $ to ghost address.
CRAP!…. So I thought it was from paypal I entered information until I got to the card part… went onto paypal to see and did not see anything. So now what do I do?!?!? I did not give them my credit card info but they did get my address, home and ss :/
I also did the same thing. Did you get any advice? I did change my paypal security code but stressed out over giving all my information as you did.
Received 8/22/15 (alleged payment recipient’s name & email redacted). Note the poor spelling & grammar as well as the July deadline.:
“Suspicious Transaction.
Your account just make suspicious transaction, We’ve temporary limited your account due to this suspicious activity until the issue is resolved.
If You didn’t authorize this transaction, please dispute transaction soon.
I Didn’t Authorize This Purchase (link to payipal-security.cf)
Here is transaction detail :
To : K****
To email : k****@yahoo.ca
Transaction date : July 24, 2015
Transaction ammount : $50 USD
Transaction ID : 1CB75442PS5426323S
Note : Ship to 4326 Wood Duck Drive Marquette, MI 49855
Please login to your account and provide the requested information to dispute this transaction before July 6, 2015.”
I forwarded the email to spoof@paypal.com…
I regularly get emails like these and follow your advice and immediately delete them. I will then log into any account I have with that company using the known url just in case it is for real. It never has been so far.
If you look at your example of the browser you say there’s no SSL secure site indicator ! but it does suggest by the httpS that it is a secure connection,its correct to inform those of us who could get caught out that the lack of ssl secure would suggest its fake,but its wise to ensure that all users of all browsers are aware that on some browsers such as Firefox the left side goes green with the words paypal inc us with the same green padlock,this does indicate the correct site and clicking on the green padlock will show the sites credentials in a small drop down box.all users could be advised like you say dont click on a link,i myself do just to see how good the criminal has got,and by inputting a fake e mail address and password lets me log in ,which in reality it would not !i recieved an e mail like this buts its address was not https and it started with unblock-paypal uk.com a very very good copy of the current site.