Phishing emails

Got this email in my inbox today:

Wrong.

What tipped me off as being suspicious was the email address: paypal@email.paypal.ca

It didn’t automatically realize it was a Paypal email because you can see that it did not automatically download the images in the email (the yellow tab at the top says that I can add them to my safe list and automatically accept images every time they email me).

Second, it didn’t have a filter that I put on ALL authentic Paypal emails that come in when they send me information, or when there’s activity on my account.

I forwarded it to spoof @ paypal.com (something you should do immediately if you think you’ve received a fake Paypal email).

But this will be a good post example for everyone on how to spot a FRADULENT email.

1. What Paypal says….

How can I tell the difference between a real PayPal email and a fraudulent one? (Source: Paypal.com)

Answer : One way to tell if an email is really from PayPal is that we address you by your first and last names or your business name. We don’t say things like “Dear user” or “Hello PayPal member.”

Also, our emails don’t link directly to pages that ask you to enter sensitive information like your bank account, credit card, or Social Security numbers.

If you think you’ve received a fraudulent email, forward it to spoof @ paypal.com and then delete it from your email account.

Check! They didn’t address me by name.. well, sort of “Fabulously Broke” is my user name but.. even so. 🙂

2. What is phishing?

“Phishing” is a form of Internet fraud that aims to steal valuable information such as credit cards, social security numbers, user IDs and passwords.

A fake website is created that is similar to that of a legitimate organisation, typically a financial institution such as a bank or insurance company.

An email is sent requesting that the recipient access the fake website (which will usually be a replica of a trusted site) and enter their personal details, including security access codes.

The page looks genuine, because it is easy to fake a valid web site.

Any HTML page on the web can be modified to suit a phishing scheme.

Phishing e-mails are often sent to large lists of people, expecting that some percentage of the recipients will actually have an account with the real organisation.

The term comes from “fishing,” where bait is used to catch a fish.

In phishing, e-mail is the bait.

(Source: New Zealand Government Digital Strategy)

They should already be “Safe Senders”

If it’s a company like Paypal, or your bank that you have automatically added to your email inbox as a SAFE sender, then you should not be seeing signs in the email indicating “SPAM???“, or “Click here to add to Safe Sender List”.

Check the company’s rules for what they do and do not send you

As a general rule, banks do not send you emails asking for passwords, IDs, Social Security numbers, or anything that asks you to identify yourself. But email or call your bank, and ask them what they DO regularly send out, and compare it to what you got.

Do not click on any links in the email, type the address in a browser instead

Avoid downloading or clicking on any links in the email. Period.

If you want to check what they’re saying is true, log into your actual bank account, but type the address of the website (www.paypal.com) in your web browser, and go directly to the page and check out what’s going on.

Most secure sights have a little lock in the URL bar that tells you they are safe.

Use common sense: they sure don’t

Check for basic formatting and EASY things like spelling and grammar.

Remember, these are usually young hackers, or more than likely, Nigerian scammers who can’t spell or know what kind of wording to use in an email, as English is a language filled with many descriptive verbs and words that when used wrongly, sounds.. off to our ears.

These are some things to look out for…

If the font looks unusual

If it is not what your bank or company normally sends you as a standard font, BE SUSPICIOUS. If it’s in Comic Sans font (or what I got above), BE SUSPICIOUS. Paranoia and being overly cautious is better than being too trusting.

If the spelling is whack

Phishers are not the brightest people in the world, if they were, they wouldn’t be trying to cheat people by creating emails without spell checking it.

If the grammar sounds weird

Read it out loud to yourself. If it sounds awkward, like a noun or the proper conjugation of the verb is missing, then it’s more than likely to be a fake email.

Banks and other institutions read, and re-read any basic emails with a magnifying glass because they want to be SURE they don’t come off as sounding unprofessional and stupid — you’re giving them money, remember?

The whole email feels wrong and unusually urgent

It sounds too panicky. Or urges you to IMMEDIATELY take charge of the situation and rectify the problem. Nothing THAT large of a rush from your bank or other accounts, should ever be sent in an email to you — they should pick up the phone and call you immediately.

If you are concerned, call your bank immediately, report what you read in an email and ask them to verify.

If it isn’t something you are interested in anyway, don’t click on it

Like if it’s asking you to send money faster (huh..) by using invoicing or setting it up.. well, if you don’t care or need it, then don’t do it and delete it immediately.

Or if you care, type the url into the browser and get to the site safely!

Phishing, cheating and scamming to get your credit card or bank info are NOT exclusive ONLINE ONLY tricks

It was done a long time before the internet came along.

Check out this picture of a real-live credit card skimmer found in a Wamu bank machine by a smart banker.

Waitstaff for example, can skim your credit card info by pretending to clean it on their apron, when they’re really swiping the info off into a skimmer hidden in their apron. It has happened so many times without people noticing… it isn’t funny how easy it is to steal info.

Never let your credit card out of your sight (I generally stick to paying cash in shady places that make really delicious food, unless they bring the card to the table and/or let me watch them swipe it at the counter).

Check your statements all the time. Even when you haven’t spent anything. And check each amount and place it was spent in.

In conclusion, that email above isn’t so bad. But just by a couple of indicators like the weird email address, lack of a filter, strange font, odd spelling and strangeness of it, I marked it as a phishing email, notified Paypal and deleted it.

It could very well be legitimate, but better safe than sorry, I say.

UPDATE: Turned out it was legit. Better safe than sorry anyway. And they should know, better than ANYONE ELSE, not to put damn links in an email.

*slaps Paypal’s wrist*

THE TEST: Is this a Phishing email? If so, name 3 reasons why

RESOURCES

• Another good phishing email I caught