Spoofing and Phishing: gentle reminder with PayPal example

I meant to write about this when it first arrived in my inbox a few years ago (ahem, sorry!) It has re-surfaced after a major inbox cleaning operation, so here it is now.

With the economy taking a downturn, spoofing and phishing are on the increase again. Spoofing – web-sites are setup to look as identical to reputable web-sites thus inticing you to part with your financial details or login information for the site that is be emulated. Phishing – you might receive e-mails that attempt to convince you to part with login details, personal data, etc. Plenty has been written about spoofing and phishing, I won’t try to re-invent the wheel here.

Anyway, here’s an example of a phishing e-mail that looks remarking like a real PayPal e-mail, including layout and graphics. Whilst the hyperlinks in this e-mail look genuine enough, hovering the mouse over the links reveals that they don’t lead to the real PayPal web-site, but to the site of a scammer. If you clicked on one of these links, you might not notice anything untoward as the scammer may well have done a good job spoofing the PayPal site look’n’feel.

Don’t be fooled – always check the ultimate destinations of links from e-mails. Better still, open up a browser window and physically type in the URL of the web-site that the e-mail claims to be from – in this case PayPal’s web-site. If the site in question really want to communicate with you, there will, more often than not, be a message waiting for you when you login using the correct channels.

I realise that I’m probably teaching a lot of readers to suck eggs. Sometimes these scams need concrete examples like this for demonstration purposes. I’ve certainly used this screenshot to help folks understand the “how do you know?” process, as noted here and here.

Technorati Tags: , , , , ,

3 thoughts on “Spoofing and Phishing: gentle reminder with PayPal example”

  1. Good article, something need reminding.

    My parents are constantly asking me to help them get set up on the net from home, but I’m so wary of them being scammed by things like this.

    Reassuringly a lot of places, such as my bank and paypal have email addresses set up where you can forward these emails so they can be investigated. The scammers constantly move on to another URL but anything which makes it harder for them seems a good idea to me.

  2. A good practice, if you use Outlook, is to always read your e-mails in plain text and set images to not download automatically. It’s really obvious when a URL is incorrect, no hovering required.

    On the other hand, every HTML e-mail is a broken mess, and you have to click a few times for them to convert to HTML, and then to download images.

    In Outlook 2007 go to Tools menu, Trust Center. E-mail Security tab, tick ‘Read all standard mail in plain text’. Automatic Download tab, tick ‘Don’t download pictures automatically in HTML e-mail messages or RSS items’.

Comments are closed.