paypal-logoOne of your clients unfortunately fell foul of PayPal scammers recently.

He followed the links in an apparently legitimate PayPal email, which lead to what appeared to be the legitimate PayPal website. He dutifully signed in and entered his password, filled in his details, updated his credit card. All good…

Then that niggling feeling hit him…. Was that a legitimate site? Did I just do something stupid?

The email looked legit…

paypal-scam

and he followed the link

Click here to update your profile records!

and the site looked legit.

PayPal

So why did he not see that it was a scam?

Why didn’t elements of the email ring bells BEFORE he entered his details?

Our belief is that it was because it was done on a Mobile Phone.

On a mobile, you dont see some of the information that is available on a PC, and there is information in the email that indicates clearly that this is/was a scam.

 Spotting the Scam

1. Misspellings in the email – “On 17 Octomber your profile was reviewed” – Octomber!  That should ring alarm bells and make you hit the delete button immediately.

2. The link “Click here to update your profile records!” has an ‘exclamation mark’ at the end of the statement.   A legitimate company would never use an exclamation mark in that fashion.

3. The link “Click here to update your profile records!” when hovered over in an full-service email client would show the destination URL

http://www.va###city##st.com/images/

(We have obscured the true URL – but you can clearly see it is not a PayPal URL)

* Hovering over a link to check it’s destination is not possible in most mobile devices as there is no cursor.

4. When the link is clicked, it goes to the URL mentioned in (3.), but then is immediately forwarded to another

http://br##nsto##er.com/x131x546/r.html?cmd=run&session=d108cc397ef8da044afce0173c5114e4d108cc397ef8da044afce0173c5114e4

Which again is obviously not a PayPal URL.

This redirection again is clearly visible on a PC or laptop, but would most likely not bee seen at all on a mobile phone, and many mobile devices.

Consequences of the Scam

So our client has had to cancel Credit Cards, change passwords, notify PayPal, Notify their bank and generally have had their day destroyed and will have to go through continued hassle while the Credit Card stuff gets sorted out. Unfortunate yes..  but it could have been avoided with some simple rules.

Avoiding the Scam

1.  Don’t do ‘banking’ via a browser on your phone.  Legitimate banks and organisations have Apps for doing your banking and do not rely on browsers.

2. READ any bank-related email you get with great care.  I guarantee that you will spots the scammers 9 times out of 10 without even clicking on anything. Spelling mistakes,  bad grammar, and bad English.  There are often multiple giveaways.

3. Treat your bank details as TOP SECRET!  never give them to anyone without a good and valid reason, and investigate that reason BEFORE you hand anything over.

 

Be careful out there…

 

Dave

http://www.grimpond.com