How to detect high-risk PayPal Phishing Emails

By: Mike Le

Today I received this email from service@paypal.com with the subject: "Your PayPal account has been limited". It was marked with "High importance".

It sounds serious, doesn't it? I've seen many PayPal phishing emails before, but this one looked reliable.

The sender email address looked legitimate: service@paypal.com, unlike popular phishing senders' style such as: paypal@imphishinghere.com (this is an example email address).

I opened the email and saw the PayPal logo. On the right, there was a box "Protect your account info" with a valid link to http://ww.paypal.com, that even provided "Security Tips" at the secured link:
https://www.paypal.com/us/securitytips.

Figure 1: This email seems to be reliable

Wait a minute! This email was sent to the email address support@restaurantgiveback.com. But I have no PayPal account associated with this email address! Something is wrong.

Also it said "Dear Paypal member". It did not have my name, or my business name. This is evidence of phishing. PayPal always starts its emails with "Hello [Name]" or "Dear [Name]".

I found the activation link, scrolled mouse over it, and the real hyperlink popped up: (this is a MS Outlook feature). Important: I did not click on the link.

Figure 2: The activation link is fraudulent

The link actually pointed to http://tosuper.com/blablabla, not PayPal. It took me another 5 seconds to Google this hyperlink, http://topsuper.net, and figured out it is 100% phishing. This phish was reported on May 21, 2010. A new-born baby phish!

Figure 3: This is a verified phish

By the way,  a friend of mine also received this email on the same day:
------------------
From: PayPal
To: myfriend@email.com     (real email address has been changed)
Sent: Fri, May 21, 2010 2:44:03 PM
Subject: Customer Notice

Dear PayPal Customer,
Your online account has been locked due to unusual activity.
Please click to unlock your account, and continue using PayPal services.
-----------------
This email was sent from notifications@pp.com. It is NOT something@paypal.com, so you can quickly know to be careful.
PayPal always includes your name. It should never read "Dear Paypal Customer".
The hyperlink "click" led you to http://webservice-pp.com. Again, this is NOT authorized PayPal website.  

What is Phishing? Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication (Source: Wikipedia).

A few take-aways:
If you receive an email from your bank, credit card organization, or PayPal, please check the following:
  *  Verify your name: Phishing emails usually start with general names "Dear PayPal member", or "Dear customer".
  *  Verify the sender email address: Phishing email addresses are often similar to the organization email address, but not the same. E.g. notifications@paypal.com v.s. notifications@pp.com. However in some cases, phishing can use Fake SMTP to fake the exact email addresses.
  *  Verify the recipient email address (your email): Phishing experts crawl on the Internet for email addresses, and sent their messages to all email addresses that they found. If your email address is not the dedicated email address for your account at the organization that sent the email, it is more than likely it is a phishing email.
  *  Prior to logging in, verify the website. The phishing website can look exactly the same as the site you want to enter, but will have a different domain.
  *  Finally, if you are still unsure if that is a legitimate site, call the organization to verify.
Also, note that PayPal is popular phishing target!

If you are not familiar with phishing, you may become a real FISH and lose money. So I hope that this post has been of help to you and you avoid future problems.

For those of you who have additional comments or recommendation, I welcome your feedback!

CB/I Digital 401 Park Ave South, 10th floor New York, NY 10016 (646) 688-4899