Claim: As part of regular security maintenance, Paypal needs you to resubmit your credit card and bank account information.
Example:[Collected on the Internet, 2003]
Dear PayPal Customer
PayPal is currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and placed on Limited Access status. Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.
To restore your account to its regular status, you must confirm your email address by logging in to your PayPal account using the form below:
This notification expires March 31, 2003
Thanks for using PayPal!
This PayPal notification was sent to your mailbox. Your PayPal account is set up to receive the PayPal Periodical newsletter and product updates when you create your account. To modify your notification preferences and unsubscribe, go to https://www.paypal.com/PREFS-NOTI
and log in to your account. Changes to your preferences may take several days to be reflected in our mailings. Replies to this email will not be processed.
If you previously asked to be excluded from Providian product offerings and solicitations, they apologize for this e-mail. Every effort was made to ensure that you were excluded from this e-mail. If you do not wish to receive promotional e-mail from Providian, go to http://removeme.providian.com/.
Origins: At least since the summer of 2002, PayPal and eBay customers have been plagued by “phantom e-mails” that require them to provide their credit card and bank account numbers to restore their accounts to fully operational status. Don’t be fooled — those “phantoms” do not originate with either PayPal or eBay; they are the creation of thieves intent upon harvesting bank account and credit card numbers from the
The one showcased above first appeared in inboxes in March 2003. Although some elements of the form are genuine (the little blue PayPal symbol links to paypal.com, for example), information entered into the data boxes does not get sent to the online banking house; it is instead routed to an e-mail address in Russia.
Earlier versions ran the con in a slightly different way: Official-looking e-mails informed users their accounts had been flagged for fraud investigation and provided a hot link to a special PayPal web page where they could fill in the blanks — name, address, credit card number — necessary to reinstate their account status. Those earlier hot link manifestations would momentarily connect the about-to-be-defrauded to PayPal’s home page before switching to a counterfeit verification page housed on an entirely different site.
Both eBay and PayPal (eBay bought out PayPal in 2002) swear they never ask for personally identifiable information via e-mail., and both have stopped including web site hot links in messages to members. Ergo, if you get an e-mail “from” one of these entities asking you for credit card or banking account number, it’s not the real thing.
This form of theft is not new, even if the techniques now be used to accomplish it (CGI scripts and hot links) are. The same basic con has been used for a very long time and has flourished in numerous less techno-terrific ways — it’s all about getting potential victims to hand over their banking and credit information, a objective the con artist accomplishes by masquerading as a bona fide representative of a reputable and trusted organization which would have reason to ask for that information. In the non-cyber world the unwary have been duped into providing such sensitive financial details via fake IRS forms which appeared to have been issued by the victims’ own banks. (The victims would fax the completed forms to the fraudster, thinking they were filing them with the Internal Revenue Service.) An even less technology-driven scam requires nothing more than a telephone and the local phone book: the defrauder skims the white pages for people who live near a particular bank and calls them, presenting himself as an employee of that financial institution who needs to confirm their account information. Because people tend to patronize the bank closest to where they live, the thief will encounter very few responses of “No, you’ve got the wrong Molly Brown — I don’t have an account there.” We tend to accept the way people present themselves at face value, so only a handful of us think to question someone who greets us by name, identifies himself as working at our bank and informs us there is something wrong with our bank accounts. His straightforward request that we read off the account numbers from our checks will all too often net him the information he seeks; only long afterwards (if at all) do we stop to wonder why, if he had our names and phone numbers, he didn’t have the details of our accounts at his fingertips as well.
Scams that trick the gullible into revealing private information by having them “confirm” details presumably already in the possession of the one doing the asking fall under the broad heading of “social engineering,” a fancy term for getting people to part with key pieces of information simply by talking to them. The wary consumer’s best defense to such maneuvers is a zipped lip (or, in the online world, an untapped keyboard). Protect yourself by volunteering nothing, even if you feel somewhat pressured by the one doing the inquiring. If someone on the telephone asks you to read off your checking account number for “verification,” ask him instead to recite it to you from his records. If you get an e-mail announcing something dire has befallen one of your on-line accounts and requiring you to re-enter sensitive personal data to get things back on track, do not reply to it, and do not fill out any forms that accompany it or click through any hot links it provides. Instead, contact that service through its web site and ask them about the e-mail.
The con artists are getting more sophisticated all the time, so do not be too quick to mistake the appearance of legitimacy with legitimacy itself. Just because an e-mail looks like it comes from an entity you do business with doesn’t mean it’s genuine, and just because you’re being directed to a web page that looks like that entity’s home page doesn’t mean you’re not being sent somewhere else. Beware the wolf in sheep’s clothing lest you end up his dinner.