I just received one such email earlier this week. Very cleverly written, it was trying to warn me that suspicious activity was taking place on my PayPal account. At first, I thought, “Oh no!” because I’ve actually been doing some things with my account recently. But then I read on and applied my checklist to spot a scam.

Here’s what the email said:

Dear PayPal Member,

We recently noticed one or more attempts to log into your PayPal account from a foreign IP address.

If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you. However if you are the rightful holder of the account, click on the link below to log into the account and follow the instructions.

[link removed]

If you choose not to complete the request, you give us no choice but to suspend your account temporary.

It takes at least 72 hours for the investigation in this case and we strongly recommend you to verify your account at that time.

Thank you for using PayPal!
PayPal Account Review Department

—————————————————————-

PayPal Email ID PP232

Like I said, pretty sneaky, yet sounds very plausible. But here’s how I determined it was bogus and this is something you can do as well:

• There was no email in the “To:” field. Okay, PayPal knows my email address so they’d have no reason not to use it.
• My name wasn’t used in the greeting.
• They encouraged me to login using the link (I removed it here for safety reasons). But if you’re new to this sort of thing, the next time you get something like this in your email, try rolling your mouse over the link and look at the URL that shows up in the lower left corner of your browser. In my case, they were completely different. This means that just because a link can be displayed to you on screen, doesn’t mean that’s the code behind it. Instant gotcha!

What could have happened had I clicked on the link? I probably would have seen a site looking very much like PayPal. And it might have encouraged me to login to what I thought was PayPal. That would have been bad because the criminals would have then have my login.

Or just as bad, I could have been infected just by visiting the web page. Yes, that’s possible.

So please be careful when you receive this sorts of messages. If in doubt, then contact the company it purports to be directly and ask them to confirm the message.

Basically, these kits can be purchased and ready in a matter of minutes. All one needs to do is to modify one file so that it knows where to send it’s findings to, and then install the files onto a compromised hosting server. That’s pretty much it.

The phisher will now have a site that’s pre-made and looks pretty official. All they have to do is market the site (again, very easy to do) and wait for someone to fall into their trap.

I’m always disappointed to read things like this because it tells me there are some great minds out there that have simply turned down the wrong path. To think of all the good they could be contributing, they’d rather use their skills for ill-gotten gain.

Tips to avoid becoming a phishing victim:
As with anything you receive in your email inbox from someone purporting to be some company, please be aware of how it looks and what it’s asking you for. Any reputable company is not going to ask you for personal information, so don’t be so fast to provide what they’re asking for. Instead, do a little research, including contacting the company claiming to be the sender of the email, but use contact information you have obtained, not the information that may be included in the email itself.

Also, if you do find that the email is a scam, be sure to report it as well as reporting it to your email provider if they provide that ability. Gmail not only has a way to report spammers, but also phishers.

Anything that helps get in the way of these scammers, can help someone.

Customer ID : 0000-122235432-65AGUEW14386-PSITA

This e-mail is to inform you that your account will be suspended within 48 hours due to your Account Inactivity. You will have to confirm certain Account Information in order to continue your account subscription.

Click the link below to verify your information
[link snipped]

You can help us provide you with the most relevant information by taking a moment to tell us your e-mail preferences. And of course you can unsubscribe at any time.

Remember, CapitalOne is committed to your security and protection. To find out more, take a look at our Information Security section under Privacy and Security on the Web site.

Wow, looks and sounds professional, but one thing I couldn’t show you was the return email address they used. It was from Yahoo! Geesh, you know times are rough when a company as big as Capital One has to use an email service from Yahoo.

The URL that I removed was nothing but an IP address. Oddly enough, the underlying link was the same as the one displayed. So they put all that effort into making professional and worrisome message, but didn’t care about the URL.

Just be careful when you receive emails having anything to do with your money.

Your Online Banking is Blocked

Because of unusual number of invalid login attempts on you account, we had to believe that, their might be some security problem on you account.

So we have decided to put an extra verification process to ensure your identity and your account security.

Please click on continue to the verification process and ensure your account security. It is all about your security.

Thank you.
Continue To Online Banking

© 2007 Bank of America Corporation. All rights reserved.

Well, first of all, the likelihood of Bank of America contacting me with a grammatically incorrect and very brief email is not very high. Phrases like “…verification process to ensure…” and “…click on continue to the verification process…” stand out like a sore thumb. Maybe that’s my journalism degree coming out, but geesh, what a telltale sign.

Second, I don’t have an account with Bank of America. And lastly, but most importantly, the link (deactivated above) goes to a totally unrelated website. How do I know this? By rolling over (not clicking!) the link you can check out the address in your lower left corner of your browser (I’m using Firefox, but that’s most commonly the area you’d find that information).

A number of things could have happened if I had clicked on the link (which I didn’t go to by the way). One example might be that a virus could have been downloaded to my computer or perhaps spyware. In addition to that, if I had entered my information on whatever form I would have been given, which most likely would have been my credit card information and login, then the criminals would have the keys to my kingdom.

The take-away here is to just be careful when you receive emails like this, especially if they are coming from a merchant you have done business with before.

[tags]phishing,scams[/tags]

This last message I received was still dripping with urgency, but they must have missed the class that explained how to hide the true destination of a link. Check it out:

Your account has been flagged!
PayPal Security Measures.

Dear PayPal Member,

Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your Paypal account and to ensure a safe PayPal experience. We require all flagged accounts to verify their information on file with us. To verify your information at this time, please visit our secure server webform by clicking the hyperlink below:

[linked snipped]

If you choose to ignore our request, you leave us no choice but to temporarily suspend your account.

Thank you for your patience as we work together to protect your account.

I removed the link for obvious reasons. Just know that it was an IP address with nothing to do with PayPal. Both the displayed text of the link and the actual code behind it were the same.

What to take away from this message?

• As always, someone like PayPal would surely use your name if they were really contacting you.
• The part about “…you leave us no choice…” Come on — neither PayPal nor any self-respecting business would ever speak to their members that way. It’s merely to scare people into taking an action.
• Even though it’s not shown here, I can tell you that the message didn’t even show my email address. I had to dig deeper to find out what they did use, and true, it’s a real address of mine, but again, PayPal would have no reason to be so secretive about that.

Surf safely!

[tags]web safety,internet,phishing,scam,PayPal[/tags]

The clues:

• They didn’t use my name. If it were really PayPal, they’d use it.
• They used an email address of mine — true enough — but I don’t use it with my PayPal account.
• My email address wasn’t shown in the “To:” field. I had to click “Show original” to find out.
• The reply address they used was “…@google.com”. Seriously, PayPal has their own domain.

Here’s the message:

Dear valued PayPal member,

It has come to our attention that your PayPal account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.

However, failure to update your records will result in account suspension. Please update your records on or before July 02, 2007.

Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal.

To update your PayPal records click on the following link:
(URL snipped)

Thank You.
PayPal Update Team

Notice the sense of urgency? Why would PayPal rush you into things and threaten suspending your account if you don’t act? The answer is that it’s not PayPal, but the jerks that are trying to get you to act before they get caught and before you get wise.

You’re in control. Next time you get something like this, try looking for the clues I’ve mentioned before you take action.

[tags]phishing,scams,web safety[/tags]

My decision to include this is to serve as another example of how we can become fooled with fancy words and the sense of urgency. But remember this: the more you know about your enemy, the less likely you are to become their victim.

In this particular instance, an attachment was included, but with an icon embedded in the body of the email. The phrase, “Word has encountered an error, please double click on the icon above to relaunch msword.exe” was included.

The purpose of this was to lower your defenses — your mental defenses, that is — because you’re more likely to think that some sort of “processing” has taken place on your computer, and if your computer knew to do something, then it must be all right, yes? Nope.

Here’s the message:

Dear business owner ,

It has come in our attention that your company is participating in an illegal scheme to avoid paying taxes can result in imprisonment and fines, as well as the repayment of taxes owed with penalties and interest.

Certain large and mid-size corporations are required to electronically file their Forms 1120 and 1120S. Other corporations may do so. We have attached to this email an e-file information for corporations that prepare and transmit their own electronic corporate income tax returns and those that use the services of third party tax professionals.

Our web site provides an overview of electronic filing and more detailed information for those corporations that prepare and transmit their own income tax returns. Corporations that rely upon third party tax professionals to prepare and transmit their tax returns should consult their tax professional.

The IRS has begun an investigation regarding this fact and we need your cooperation. Instructions on how to resolve this, as well as a INVESTIGATION FORM are attached to this email.

Please complete the form, sign it and send it to tax-avoidance@irs.gov within 48 hours. Thank you

George William

IRS TAX PAYMENT AGENT
FRAUD DEPARTMENT

Wow! It’s from the IRS. It sounds official, and gives you the sense that maybe somebody has been watching you.

Well, don’t fall for it. Have you ever received a legitimate email from the government. To the best of my knowledge, snail mail is the preferred method of communication for such warnings.

So, I said it before, but it bears repeating: if you question the legitimacy of a message, contact the entity being represented and DON’T use the contact information in the email as it could also be fake. And don’t click on any links. Instead, either run a search for the company to find their true web site or type in the URL to get there.

[tags]phish,scam,virus,computers[/tags]

The message read as follows:

From: Better Business Bureaus [mailto:operations@bbb.org]
Sent: Monday, June 04, 2007 7:07 PM
Subject: Complaint Case Number 918724369

Dear Mr./Mrs. [name removed]

You have received a complaint in regards to your business services. The complaint was filled by Mr. Robert Martinez on 6/2/2007

Complaint Case Number: 918724369
Complaint Made by Consumer Mr. Robert Martinez
Complaint Registered Against: [company removed]
Date: 6/2/2007
Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:
- Claims based on product liability;
- Claims for personal injuries;
- Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.
The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.

© 2003 Council of Better Business Bureaus, Inc. All Rights Reserved.

So what are some of the clues?

To begin with, I’m not registered with the BBB. Maybe I don’t have to be, but it’s certainly out of left field that this message comes to me.

Now about that document. It presented itself as a PDF, but in actuality it was an executable — a file that runs on a computer like an application. All one has to do is open it up to release its payload and who knows what will happen after that: loss of data, spyware installed, computer rendered useless, etc.

And did you notice that “Mr./Mrs.” part? Don’t you think they’d know who they’re dealing with if the message were legitimate?

And the overall “official-ness” of the message may cause one to think that somehow there must be a connection, thus making it more likely to open the document attached.

If you receive something like this and feel there’s some validity to it, then give your local BBB a call to verify the case number. And just as important, be sure you have a antivirus software package installed and up-to-date with virus information.

[tags]scams,phish,virus,computers[/tags]

This latest attempt came out of the blue. Clue one. It was from a company I had never done business with nor heard of. Clue two. And finally, it didn’t show the email address it was using to get to me. Clue three. Any company I’ve done business with, to the best of my knowledge, has used the email address in the header of the message.

But the real telltale sign of this whale of a phish is the fact that the URL in the message was pointed to somewhere else entirely. Where? Well, it wasn’t the Federal Credit Union site, that’s for sure. How did I know this? Easy. I rolled my mouse over the link and looked at the bottom corner of the browser to see the URL it would have taken me to.

Here’s the message:

Account Info Verification

Dear FCU holder account,

As part of our security measures, we regularly screen activity in Federal Credit Unions (FCU) network.
We recently noticed the following issue on your account: A recent review of your account determined that we require some additional information from you in order to provide you with secure service. Case ID Number: PP-065-617-349 For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause. Please log in to your FCU account to restore your access as soon as possible.

You must click the link below and fill in the form on the following page to complete the verification process.

Click here to update your account (<-- link removed)

In accordance with NCUA User Agreement, your account access will remain limited until the issue has been resolved. Unfortunately, if access to your account remains limited for an extended period of time, it may result in further limitations or eventual account closure. We encourage you to log in to your FCU account as soon as possible to help avoid this. We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account.

We apologize for any inconvenience.

Sincerely, NCUA Account Review Department

Had I clicked on the link I would likely have found a place to enter my username and password. Doing so would have given them quick access to whatever I had in there. Fortunately, I didn’t have an account with FCU, so I didn’t have what they were likely to be looking for in the first place. Or perhaps they would have asked me right then and there for my personal details — whatever I could give them.

But that may not have been the only danger. It is possible to download malicious code to your computer just by browsing to a page. Even something as innocent as viewing an image could have infected my computer with a virus, that is, if I didn’t have defenses in place already.

So the moral of this story is:

• Don’t click on any link in an email message unless you’re absolutely, positively sure it’s from someone you know AND it makes sense they would send it.
• Before clicking on any link, be sure to roll your mouse over it first to show the true destination. If you can’t see this, then perhaps you can view the source of the message and examine it that way. Sometimes these phishers include valid links in their messages just to lull you into a false sense of security.
• Go to the company in question’s web site on your own, meaning either use a bookmark you already have or type in the URL that you know. Don’t use the one in the message. Or simply give them a call using a number you’ve looked up yourself.
• And if at all possible, contact the company — the real one — to report that there’s a suspicious email going around.

[tags]web safety,internet safety,phishing,scams[/tags]

SiteAdvisor is a add-on to Internet Explorer or Firefox and appears as a small button in either browser. This button displays in green, yellow, or red colors to indicate safe, caution, or warning, respectively, depending on the site you visit and what information it has on it. You can select View Site Details from its menu to find out why it has rated a site as such.

When you perform a search on Google or Yahoo icons associated with each level of rating appear next to each of the search results. When you roll your mouse over these icons you get a summary of its rating with an option to view more details.

SiteAdvisor does not filter content nor is it a type of parental control software. Rather, it simply provides you with information on a site prior to you visiting it so you can decide for yourself if you want to visit it or not. If a site is a known contributor of spyware/phishing/spam/viruses, you’re probably better off avoiding that site and going somewhere else.

This is similar to what I reported on not too long ago about the online service known as Scandoo. It, too, runs checks on sites and informs why you should or should not be leary of a site before visiting it on search results.

There are three main differences you’ll find between these two defenders of the common Web surfer:

• The information in their rollovers (when you rollover their icons in search results) is displayed slightly different (no big deal).
• Scandoo is a search engine that you go to and SiteAdvisor is a tool you install in your browser, so it goes where you go.
• SiteAdvisor tells you what it knows about a site as you’re visiting it by virtue of its button in your browser by changing colors. More details for a site are always just a click away.

During my initial tests I noticed a considerable slowness to my Web surfing. I suspected that whatever sites I was visiting were being looked up on their servers, which is what should be happening. However, I’m not experiencing that same kind of slowness as of this writing. It could have been the time of day I was doing my tests — hard to tell.

Quick Overview

• Very useful tool that could help prevent the accidental download of viruses or spyware by informing you of the reputation a site has.
• May negatively impact speed of Web surfing (although my tests are not conclusive; just keep an eye on it).
• Provides useful information on sites you visit and does it dynamically as you surf.
• It does not block content and is not a filter — it’s just an informer.