New PayPal scam email spoofs genuine account inquiry: Internet Scambusters #431
If you buy or sell online, you could be vulnerable to a PayPal scam.
Spoofing the name of the company that handles online payment transactions, or abusing the way it operates, underlies a huge amount of Internet fraud.
In this week's issue we highlight the five most common PayPal scams, how you can avoid them and the actions you can take to further protect yourself.
Time to get going...
The Five Most Common PayPal Scam Tricks
A new PayPal scam has landed in hundreds of thousands of email inboxes during the past few months.
The attack uses one of the oldest tricks in the book -- trying to con people into revealing their PayPal account details.
But it's cunningly put together and it emphasizes the fact that because we think of PayPal as a safer way to do business, it may be easier to fall for a scam that uses the company's name.
We've reported on this topic before in a past article, 2 New PayPal Scams.
But this latest incident is a stepping-off point to highlight the five most common types of PayPal fraud.
First, though, a word about PayPal.
You may already know that this online money transfer and payment system is owned by the online auctioneer eBay.
But it's used for a whole lot more than paying for auction purchases. Many retailers now accept PayPal for payment of online purchases and it's even used for transferring money as gifts.
The key attraction -- and the reason it's considered secure -- is that you don't have to provide your credit card details to a seller.
Only PayPal has your card details, plus any credit balance you hold.
But the organization is not a bank and it is not subject to banking regulations. Nor are its funds protected by the Federal Deposit Insurance Corporation (FDIC).
We're not saying that's a bad or good thing... just making it clear.
Over the years, PayPal has made numerous changes to its security policies to try to reduce the incidence of scams, closing a number of loopholes that were being exploited by crooks.
But there's little or nothing they can do about their name being taken in vain or when members misguidedly use the system incorrectly, playing into the hands of villains, as our list shows.
PayPal Email Scam #1
We wrote some years ago about this type of phishing scam, in which the crook tries to get your account details.
And according to a 2010 report from Internet security outfit Kaspersky Lab, 56% of all coordinated phishing attacks target PayPal account holders.
The newest variant pretends to be a notification that your account has been switched to "limited" status.
This is very cunning because, every year, PayPal does in fact "limit" thousands of accounts, and they do send out email notifications and information requests to affected account holders.
"Limiting" restricts account activity and usually kicks in when PayPal notices something unusual in an account's transactions.
That makes it a perfect subject for spoof emails; so, earlier this year, another Internet security firm Sophos warned of a PayPal email scam based on the "limiting" process.
According to Sophos, the email contains the following statements:
(Begin PayPal scam message)
Dear PayPal account holder
PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account, and multiple password failures were present before the logons.
Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Download and fill out the form to resolve the problem and then log into your account.
(End PayPal scam message)
Of course, as usual, the message appears to be genuine, though, unlike some other PayPal scam email messages, apparently it does not use the PayPal logo.
The attachment is called "restore_your_account_PayPal.html" but if you complete it, you'll be supplying your account details to criminals, not to PayPal.
Action: With any email seeking confidential information, from PayPal or anyone else, do not reply or open attachments.
Instead, visit the organization's website by keying in the address and check out your status there.
In the case of PayPal, go to https://www.paypal.com, log in, click on the "Help" link at the very top of the screen, then click on "Limited account" in the "Resolving Account Issues" section.
PayPal Email Scam #2
Spoof email messages with attachments or links to bogus PayPal pages may also be used to upload malware onto your PC.
In some recent cases, these have been used to gather banking information from victims' PCs.
This information is then used to transfer funds into unverified PayPal accounts.
Action: Again, don't click on attachments or follow links in such emails. Go directly to paypal.com.
PayPal has also partnered with security software firm Iconix to produce a free program called eMail ID, which will supposedly tell you if an email is truly from PayPal.
We haven't used or tested it, so we can't vouch for its effectiveness, but you can learn more and download it at their site.
The Gift Payment PayPal Scam
As we said earlier, PayPal also can be used to easily transfer money between individuals.
In a new scam, crooked online vendors, especially those using eBay and the classified ads site Craigslist, ask buyers to send payment as a cash transfer or gift rather than a regular "payment for goods."
Why would you do this? Well, the seller will say this will avoid them having to pay a fee for the transaction.
But a gift is a gift, right? It's not a payment for goods, so, by definition, you won't qualify for PayPal's purchase protection service.
As far as they're concerned, you haven't bought anything; you've just gifted some cash!
If the goods don't turn up or they're not what you expected, you don't have a leg to stand on.
Action: Just don't do it! Explain that you want to be covered by PayPal's purchase protection and this is the only way you'll do the deal.
If the vendor says you'll have to pay extra to cover the fee, you have to decide whether the deal is worth it.
The "Payment Received" PayPal Scam
In this PayPal fraud, a bogus buyer agrees to use the online payment service and sends you a fake email, supposedly from PayPal, saying they (PayPal) have received the payment and asking you to mail off the item you sold so that the money can be transferred to your account.
The message says the money will only be released when you provide a tracking number as proof it has been shipped.
Sophisticated versions of this trick disguise the real email address to look like it's from PayPal and may even include what appears to be an extract from your account, showing the "received" payment.
Of course, the money's not really there, and if you ship the item, you'll be the loser.
Action: Always verify payment notifications by logging on to your PayPal account directly.
Hijacked PayPal Accounts
As a result of phishing or malware, crooks gain access to your PayPal account and drain it.
Or, as part of an identity theft scheme, they may open PayPal accounts in your name but with a different address, and link them to your bank account.
When a person opens a PayPal account, the firm makes a small deposit into your bank account, and then asks you to tell them the exact sum so they can verify it's your bank account and activate your PayPal account.
If the scammer knows how to access your bank details, they can get this verification, setting up a PayPal account linked to your bank account.
Action: Monitor your PayPal account regularly and check your bank statement for small transactions you know nothing about.
As we said at the outset, PayPal themselves do a tremendous amount to limit the risk of fraud, including helping you to create good passwords.
To find out more, got to paypal.com and click on "Security and Protection" at the top of the page.
A PayPal scam may be an increasingly frequent trick but using this information and a good measure of common sense, you should be able to avoid being among the victims.
That's a wrap for this issue. Wishing you a great week!