Skip to content
Opinion
Link copied to clipboard

A slick scam over PayPal

    by Jeff Gelles | Columnist, External or Unknown
    Published 

The e-mail to a colleague, a tech-savvy newspaper editor, looked innocent and authentic enough.

It wasn't an offer of "herbal Viagra," a get-rich-quick scheme, or a promise to enlarge any particular body parts. It was a note under the logo of PayPal, the eBay subsidiary that offers a secure way for participants in its online auctions to pay for merchandise.

"Dear Valued PayPal Member," it began. "It has come to our attention that your PayPal Billing Information records are out of date. " It then invited him to click on a link to update the records - a link to a Web page that also had the look of authenticity.

Luckily for my colleague, he didn't have to get that far to turn suspicious. He's never had a PayPal account, so the e-mail lost him right off the bat.

But he was impressed enough by the slickness of the scam - and a scam is what it was, officials at the Federal Trade Commission and eBay confirmed - to want to spread the word.

For one thing, it had a series of underlined, blue links at the bottom of the e-mail and the Web page, just as PayPal's real home page does.

And every one of those links led to the genuine article: real PayPal pages, such as "About us," "Accounts," "Fees" and "Privacy. "

The first clues

Looking more closely, though, my colleague noticed some reasons to suspect a fraud that could have led to identity theft. One was the Web address, or URL, of the crucial page that asked for his credit information.

Instead of starting with the PayPal web address, the URL of the page where he was supposed to enter his credit-card information began with a series of numbers.

Then there was the absence of the so-called "secure-key" icon - on Internet Explorer, a locked padlock that appears at the bottom your screen only when you're able to send sensitive data in encrypted form.

Those were clues that the page was a phony, to be sure. But they aren't enough to protect yourself, according to Howard Beales, who, as director of the FTC's Bureau of Consumer Protection, is one of the Internet's top cops.

A genuine-looking PayPal address? That's not a guarantee. If you simply click on a link, the destination's URL could be disguised.

A secure-key icon? A good sign - unless you're about to send sensitive data to a hacker over a secure hookup.

Beales' message is this: Internet bad guys have varying skills. Some scams are obvious to anybody who wasn't born yesterday. Others are dangerously devious.

Protect yourself

Thankfully, you don't have to be smarter than every last hacker. You just have to be vigilant about sensitive data. This kind of scam is sometimes called " phishing," and the first rule is: Don't take anybody's bait.

How do you identify bait? Beales says to be especially skeptical of warnings that an account will suddenly be shut if you don't reconfirm billing information, or any other probe that asks you to reply with personal data.

Be cautious no matter where the e-mail seems to originate. Even government agencies have been used as bait.

If you get a suspicious e-mail, don't click on a link. Instead, contact the company directly, using a phone number or Web address you're sure is real.

Last summer, PayPal itself quit sending out e-mails like the one in question, eBay spokesman Kevin Pursglove says. Thousands of PayPal users have complained of similar e-mail-based scams, so the company now directs account-holders with expired credit cards to go on their own to the PayPal site, and proceed through the log-in (For more on PayPal security, go to www.paypal.com.)

Don't stop with protecting yourself. If you believe an e-mail you receive may be deceptive or fraudulent, the FTC wants to see it. Forward any suspicious spam to uce@ftc.gov.

Beales says the agency has been able to use its spam database along with identity-theft reports to interrupt scams in progress. "There have been cases where we've been able to contact a victim who didn't even know they were a victim yet," he says.

Exercise a little caution, though, and you won't be the one getting that call.

*

For more information, contact the FTC at www.ftc.gov or 1-877-382-4357.

Contact Jeff Gelles at 215-854-4558 or consumerwatch@phillynews.com.