Saturday, May 31, 2008

Anatomy of a Paypal Scam Email

I'm often asked what a typical Paypal email scam looks like. Today's email included a pretty standard sample. What should let a layman know that this is a scam?

  • The account that received the email isn't one with a PayPal account.
  • PayPal typically won't send emails with a subject like "Account limited"
  • The email is addressed to "PayPal Inc. account holder" rather than to a specific name. PayPal knows who their account holders are.
  • The URL included is not on Paypal's site (it is, however, not the real URL).
  • The email changes topic from screening that requires more information to unauthorized access.
  • The email requests that users "upgrade" their account with more information.
  • Department is misspelled in the closing greeting, and referring to the group as the "PayPal Inc. Account Departement." is suspicious.

For the more technically adept users, I recommend reading headers. Those show interesting things like:

  • A from address of "PayPal." which is "" - yes, two l's.
  • A source IP that doesn't resolve to PayPal: "from (HELO User) ( by with SMTP; 30 May 2008 14:14:13 +0200"

At this point, many anti-spam systems will have flagged the message and will have tossed it - that's lucky for us, although people do still fall for the messages.

Without further ado, the message itself:

Dear PayPal Inc. account holder,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

*Why is my account access limited?*

Your account access has been limited for the following reason(s):

We have reason to believe that your account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.

(Your case ID for this reason is PP-0XD2-0XBC-0XDA-0X37.)

*How can I restore my account access?*

*Please visit the Resolution Center and complete the "Steps
to Remove Limitations."

Completing all of the checklist items will automatically restore your account

Be aware that until we can verify your identity we will have no other liability for your account or any transactions that may have occurred as a result of your failure to upgrade your account as instructed above.

PayPal Inc. Account Departement.

No comments: