The claim that PayPal, the online payment app, needs users to resubmit their credit card and bank account information as part if routine security maintence has circulated online since at least 2002. For instance, the rumor has spread via emails that appear to be authored by the company itself — but, in reality, scammers are responsible for the messages.
Snopes collected one such email in 2003:
Dear PayPal Customer
PayPal is currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and placed on Limited Access status. Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.
To restore your account to its regular status, you must confirm your email address by logging in to your PayPal account using the form below:
The email included a form for recipients to enter their email addresses, account passwords, bank account numbers and credit card numbers and expiration dates, and then to hit a "Log In" button. After that, the message said:
This notification expires March 31, 2003.
Thanks for using PayPal!
This PayPal notification was sent to your mailbox. Your PayPal account is set up to receive the PayPal Periodical newsletter and product updates when you create your account. To modify your notification preferences and unsubscribe, go to https://www.paypal.com/PREFS-NOTI
and log in to your account. Changes to your preferences may take several days to be reflected in our mailings. Replies to this email will not be processed.
If you previously asked to be excluded from Providian product offerings and solicitations, they apologize for this e-mail.Every effort was made to ensure that you were excluded from this e-mail. If you do not wish to receive promotional e-mailfrom Providian, go to https://removeme.providian.com/.
Copyright© 2002 PayPal Inc. All rights reserved. Designated trademarks and brands are the property of their respective
Don’t be fooled — these “phantom emails” do not originate with either PayPal or eBay; they are the creation of thieves intent upon harvesting bank account and credit card numbers from the unwary. Although some elements of the form are genuine (a little blue PayPal symbol links to paypal.com, for example), information entered into the data boxes does not get sent to the online banking house; it is instead routed to an e-mail address in Russia.
Earlier versions ran the con in a slightly different way: Official-looking e-mails informed users their accounts had been flagged for fraud investigation and provided a hot link to a special PayPal webpage where they could fill in the blanks — name, address, credit card number — supposedly necessary to reinstate their account status. Those earlier hot link manifestations would momentarily connect the about-to-be-defrauded to PayPal’s homepage before switching to a counterfeit verification page housed on an entirely different site.
Both eBay and PayPal (eBay bought out PayPal in 2002, and then the two companies split in 2015) swear they never ask for personally identifiable information via e-mail, and both have stopped including website hot links in messages to members. Ergo, if you get an e-mail “from” one of these entities asking you for a credit card or banking account number, it’s not the real thing.
To guard users against such scams, PayPal advises the following, as of September 2022:
Phishing messages often begin with impersonal greetings. “Dear user” or “Hello, PayPal member” are definitely suspect. Messages from PayPal will always use the full name listed in your PayPal account.
Attachments can contain malware, so never open them unless you’re 100% sure they’re legitimate.
Don’t heed pleas for you to take fast action or warning you of problems that will compromise your account status.
If the web address is scrambled or looks suspect, don't click on anything and leave.
Never provide personal, credit card, or account info via email, text, or phone.
Typos, misspellings, and incorrect grammar are common in phishing messages.
This form of theft is not new, even if the techniques now be used to accomplish it (CGI scripts and hot links) are. The same basic con has been used for a very long time and has flourished in numerous less techno-terrific ways — it’s all about getting potential victims to hand over their banking and credit information, an objective the con artist accomplishes by masquerading as a bona fide representative of a reputable and trusted organization that would have reason to ask for that information.
In the non-cyber world the unwary have been duped into providing such sensitive financial details via fake IRS forms, which appeared to have been issued by the victims’ own banks. (The victims would fax the completed forms to the fraudster, thinking they were filing them with the IRS.)
An even less technology-driven scam requires nothing more than a telephone and the local phone book: the defrauder skims the white pages for people who live near a particular bank and calls them, presenting himself as an employee of that financial institution who needs to confirm their account information. Because people tend to patronize the bank closest to where they live, the thief will encounter very few responses of, “No, you’ve got the wrong Molly Brown — I don’t have an account there.” We tend to accept the way people present themselves at face value, so only a handful of us think to question someone who greets us by name, identifies themselves as working at our bank and informs us there is something wrong with our bank accounts. The straightforward request that we read off the account numbers from our checks will all too often net the scammer the information they seek; only long afterwards (if at all) do we stop to wonder why, if they had our names and phone numbers, they didn’t have the details of our accounts at their fingertips, as well.
Scams that trick the gullible into revealing private information by having them “confirm” details, presumably already in the possession of the one doing the asking, fall under the broad heading of “social engineering,” a fancy term for getting people to part with key pieces of information simply by talking to them. The wary consumer’s best defense to such maneuvers is a zipped lip (or, in the online world, an untapped keyboard). Protect yourself by volunteering nothing, even if you feel somewhat pressured by the one doing the inquiring. If someone on the telephone asks you to read off your checking account number for “verification,” ask the caller instead to recite it to you from their records. If you get an e-mail announcing something dire has befallen one of your online accounts and requiring you to reenter sensitive personal data to get things back on track, do not reply to it, and do not fill out any forms that accompany it or click through any hot links it provides. Instead, contact that service through its website and ask them about the email.
The con artists are getting more sophisticated all the time, so do not be too quick to mistake the appearance of legitimacy with legitimacy itself. Just because an email looks like it comes from an entity you do business with doesn’t mean it’s genuine, and just because you’re being directed to a webpage that looks like that entity’s homepage doesn’t mean you’re not being sent somewhere else. Beware the wolf in sheep’s clothing lest you end up his dinner.
Oldenburg, Don. “Subtle Scams in Online Payment.”
The Washington Post. 25 February 2003 (p. C10).