If you’re like me, you get hundreds of emails a day and many of them are unnecessary. Even with advanced spam filtering in place (like our incredibly great Barracuda filters), unwanted emails still manage to arrive in the inbox. Even though we filter out a massive percentage of spam, every once in awhile a sneaky email scam manages to slip through.
This is precisely what happened yesterday. I received an email from PayPal with an unusual subject line:
My first thought — “Cool! I never knew PayPal would give an annual bonus for users!” Then it hit me. I’ve used PayPal for YEARS and never had an “annual bonus”. Something sounded fishy….. but I’m a curious type, so I opened the message.
The body of this email was amazing; it looked exactly like a standard PayPal email with the right colors, logos, style, etc. But upon closer inspection there are some very clear indicators that this was not a legitimate email.
— Note the “from” address. I have no doubt that PayPal is not using the address of “Banana-01” as their primary customer service email. This alone should be the red flag to immediately sound the alarm.
— Second, notice the “to” field simply says “Recipients”. Had this been an email for me, my own email address would have appeared here, not some generic “list” of recipients. Would it make sense for PayPal to send a $250 reward to every one of their users? Probably not.
— Third, the logo isn’t quite right. For many, this is hard to tell. The text of the logo is accurate, but there’s also supposed to be a two-toned capital P used in the artwork for the official logo. (see here)
— Finally, check out the “easy” instructions. You click and open a secure link (thank goodness that it’s secure!) and then confirm you’re the owner of the account.
So, exactly where does this “Reward Claim” happen to take me? You guessed right – certainly not to PayPal’s website! By placing your mouse pointer on the button, it should display the actual link that the button will take you to. In this case, it’s a site on a .UK domain (see below) which is surely not the PayPal site.
Now — at this point, I was laughing. Certainly this is a complete scam and I did NOT click on the link to visit this domain. I am guessing that they have a landing page which is designed to mimic PayPal and lure valid users into entering their usernames/passwords and maybe some additional identification like address or birthday. Once they do, they’re probably told that they can expect to see a payment either sent to them or hitting their PayPal account soon. The scam is on!
Within a few moments, your valid credentials on your PayPal account could be changed. Funds that you have in PayPal could be sent to another account, used to purchase products/services, and generally swept clear from your account. All while you wait for your Annual Reward to be safely deposited.
How can you avoid this?
Rule #1 – Be suspicious. Be wary of everything that claims to be a reward, a bonus, a free deal, or anything that is too good to be true. I had never seen an offer from PayPal for an “annual reward” and so this was my first clue.
Rule #2 – Read/Review carefully. Does PayPal really use that address? Would every account be getting the same “annual reward”? Why link to the UK when I know that PayPal uses a .com domain?
Rule #3 – Don’t Click. When you see that button/link, check it to be sure that it really IS the company you’re doing business with. PayPal’s business is international, but their URL (in the USA) looks very clearly like this:
What to do if you did click?
Thankfully, PayPal is very good about dealing with fraud. They’ve setup lots of procedures for dealing with illegitimate activity on their site and work diligently to resolve any issues. If you ever think your account has been compromised, contact PayPal immediately. They can help you regain control and hopefully recover any lost funds.
Like PayPal, other companies have protocols in the event of fraud and they will help you resolve issues. Your bank will likely respond and deal with issues very quickly too. Don’t ever be afraid to contact these organizations if you suspect there could be a problem.
Can you avoid this in the future?
Obviously, having good spam filtering employed isn’t quite enough. This email sneaked through those filters and still arrived. Learning to be suspicious of emails is a skill. Walking through the anatomy of an email helps too — reviewing carefully as you go. Ultimately your own eyes are going to be exceptionally helpful to determine when an email is illegitimate.
We help our business clients deal with these kind of situations all the time. Some clients need training on ‘how to avoid’ malware or phishing scams such as this. Others need to appreciate how filtering is important to begin with. No matter your situation, our consulting team can help you understand the risks, avoid the opportunities for threats, and help combat these daily risks as they travel the internet.