My adrenalin level started to rise, and I began to panic. The email had come in my Hotmail Inbox, and read:
"PayPal (support@PayPal. Inc.com), This message may be a phishing scam. Learn more. Sent: Fri 6/27/08 8:20 AM, Reply-to: support@PayPal. Inc.com
"Dear PayPal Member, This email confirms that you have sent an eBay payment of $347.85 USD to
email@example.com for an eBay item. Payment Details: Amount: $347.85 USD, Transaction ID: 2LC956793J776333Y, Subject: Digimax 130, Item Information, eBay User ID: scratchandgnaw2, Edward “Blank", UNCONFIRMED Address (an address was provided).
"Important Note: Edward “Blank" has provided an Unconfirmed Address. If you are planning on shipping items to Edward Harrell, please check the Transaction Details page of this payment to find out whether you will be covered by the PayPal Seller Protection Policy.
"Note: If you haven't authorized this charge , click the link below to dispute transaction and get full refund. Dispute transaction (Encrypted Link ) *SSL connection: PayPal automatically encrypts your confidential information in transit from your computer to ours using the Secure Sockets Layer protocol (SSL) with an encryption key length of 128-bits (the highest level commercially available)
"This payment was sent using your bank account. By using your bank account to send money, you just: Paid easily and securely, sent money faster than writing and mailing paper checks, paid instantly - your purchase won't show up on bills at the end of the month.
"Thanks for using your bank account! Thank you for using PayPal! The PayPal Team, PayPal Email ID PP118"
My mouse arrow poised
My mind raced. I don't know anybody by the name of Edward “Blank" (I've left the last name out), and I certainly haven't made a $347.85 transaction which was deducted from my bank account. Adrenalin charged fear began to mount.
I don't have enough money in the bank account to cover that amount, I thought, and now I'll get some bounced checks.
My alarm quickly became outrage and angry thoughts raced through my mind:
-Where had this charge come from?
-Who was Edward “Blank"?
-Of course I want to dispute it!
My mouse arrow was poised over the “Encrypted" Link". and I was on the verge of clicking it, when from somewhere came a small voice of sanity. “Wait a minute, " it whispered, “this email came to your hotmail account. Your paypal email account is a yahoo account, not a hotmail account. "
I looked more closely at the return address of the email I had received. It read, “support@PayPal. Inc.com" and I realized it was totally wrong. The “Paypal" portion of the address was a subdomain of the “Inc" Primary Domain. A correct Paypal return address would be “support@PayPal.com".
What If I had clicked on the link?
Well, probably nothing, until I started filling out the form requesting my personal information. The phishermen were counting on the fact that by now I would be panicked enough to give them the information they wanted, and that would initiate a raid on my Paypal account, bank account, and everything else connected with my personal identity.
Clicking on that link would be an invitation to a personal disaster rivaling the Sumatran Tsunami, something that would take me years to straighten out (assuming I could do it at all).
Watch out for the buttons
Let's take a look at the email again, and note the “panic buttons" it uses to stampede the recipient into taking the bait.
1) You've sent an unauthorized payment of $347.85 to someone you don't know.
2) This has been paid out of your bank account
3) The recipient is an unconfirmed mail address - the money was sent out “into space", so to speak. The implication is that he raided your account and will do so again.
4) “If you haven't authorized this charge". Of course you haven't, and you're invited to dispute it by clicking on the link The phisherman is counting on your first thought: “I've got to take care of this. "
5) The link is a Secure Sockets Layer Protocol. Implication: You're perfectly safe doing this.
6) Paying from your bank account was convenient and fast, etc. They will probably want “updated information".
What should you do?
The proper response to an email like this is to do nothing it tries to stampede you into doing. Instead, go directly to your account and check the charges (this would be true if it were your credit card or bank account). I've seen many phishing emails advising me that there is something wrong with my Bank of America account. I don't bank with them, but the phisherman is gambling that a percentage of the people he/she spams will have one, and will click the “secure link".
Avoid the Phishing Scam Stampede
The email you will receive from the phisherman is intrinsically terrifying. The phisherman uses “panic buttons" to stampede you into divulging personal information. Your response to this is simple:
Don't panic and don't let them drive you into clicking the “secure link" they so conveniently provide. Put the email where it belongs - in the “deleted" folder. Then empty it.
Stay safe online - never let a phisherman panic you into doing something you will spend a lifetime trying to undo.
Get more tips on avoiding identity theft at Your Identity Stolen
a quarterly ezine designed to keep your identity safe.