How to detect high-risk PayPal Phishing Emails Author: Conative Business Inc. (05/22/2010)

Today I received this email from service@paypal.com with the subject: "Your PayPal account has been

limited". It was marked with "High importance".

It sounds serious, doesn't it? I've seen many PayPal phishing emails before, but this one looked reliable.

The sender email address looked legitimate: service@paypal.com, unlike popular phishing senders'

style such as: paypal@imphishinghere.com (this is an example email address)

I opened the email and saw the PayPal logo. On the right, there was a box "Protect your account info"

with a valid link to http://ww.paypal.com, that even provided "Security Tips" at the secured link:

https://www.paypal.com/us/securitytips.

Figure 1: This email seems to be reliable

Wait a minute! This email was sent to the email address support@restaurantgiveback.com. But I have no

PayPal account associated with this email address! Something is wrong.

Also it said "Dear Paypal member". It did not have my name, or my business name. This is evidence

of phishing. PayPal always starts its emails with "Hello [Name]" or "Dear [Name]".

I found the activation link, scrolled mouse over it, and the real hyperlink popped up: (this is a MS Outlook

feature). Important: I did not click on the link.

Figure 2: The activation link is fraudulent

The link actually pointed to http://tosuper.com/blablabla, not PayPal. It took me another 5 seconds to

Google this hyperlink, http://topsuper.net, and figured out it is 100% phishing. This phish was reported

on May 21, 2010. A new-born baby phish!

Figure 3: This is a verified phish

By the way, a friend of mine also received this email on the same day:

------------------

From: PayPal

To: myfriend@email.com (real email address has been changed)

Sent: Fri, May 21, 2010 2:44:03 PM

Subject: Customer Notice

Dear PayPal Customer,

Your online account has been locked due to unusual activity.

Please click to unlock your account, and continue using PayPal services.

-----------------

This email was sent from notifications@pp.com. It is NOT something@paypal.com, so you can quickly

know to be careful.

PayPal always includes your name. It should never read "Dear Paypal Customer".

The hyperlink "click" led you to http://webservice-pp.com. Again, this is NOT authorized PayPal website.

What is Phishing? Phishing is the criminally fraudulent process of attempting to acquire sensitive

information such as usernames, passwords, and credit card details by masquerading as a trustworthy

entity in an electronic communication (Source: Wikipedia).

A few take-aways:

If you receive an email from your bank, credit card organization, or PayPal, please check the following:

* Verify your name: Phishing emails usually start with general names "Dear PayPal member", or "Dear

customer".

* Verify the sender email address: Phishing email addresses are often similar to the organization

email address, but not the same. E.g. notifications@paypal.com v.s. notifications@pp.com. However in

some cases, phishing can use Fake SMTP to fake the exact email addresses.

* Verify the recipient email address (your email): Phishing experts crawl on the Internet for email

addresses, and sent their messages to all email addresses that they found. If your email address is not

the dedicated email address for your account at the organization that sent the email, it is more than likely

it is a phishing email.

* Prior to logging in, verify the website. The phishing website can look exactly the same as the site

you want to enter, but will have a different domain.

* Finally, if you are still unsure if that is a legitimate site, call the organization to verify.

Also, note that PayPal is popular phishing target!

If you are not familiar with phishing, you may become a real FISH and lose money. So I hope that this

post has been of help to you and you avoid future problems.

For those of you who have additional comments or recommendation, I welcome your feedback!

Mike Le