A convincing con

PayPal fraudulent email

A few days ago, I got a fraudulent email purporting to be from PayPal, which was surprisingly convincing.

The email’s most credible feature was its timing, which coincided with a recent PayPal transaction of mine.


Here’s why I was almost caught out:

  1. The message was addressed to me, Ian Saxon, not “Valued Customer”
  2. The email appeared to come from a legitimate PayPal email address (service@paypal.com)
  3. The contents were mostly well written. I noticed only four spelling and grammatical mistakes.
  4. I used PayPal recently, making it plausible that the company would want to check that the transaction was legitimate

…But not quite

The email was certainly not legitimate. Here’s how I knew:

  1. There were spelling and grammatical errors. Don’t kid yourself – the real PayPal has proof readers
  2. The email asks me to send photocopies of sensitive stuff (passport, drivers licence, bank statement)
  3. I was asked to respond to security@paypalfraudchecking.com, which doesn’t have the usual @paypal.com suffix
  4. A quick Google search of a section of text in the email yielded warnings of PayPal scams

The most convincing of the evidence against the veracity of the email was #4. Take a look at the results:

Email from my bank after I changed my password

To get this, I simply highlighted a portion of the email message (“PayPal is constantly working to ensure security by regularly screening the”), pasted it into Google’s search bar, and hit Search. It works just as well with or without quotes. As you can see, every result was a warning about this scam.

Read more about phishing

Questions from a reader II

In a previous post, a friend and reader asked some great questions. I answered about half of them here. Here’s round two:

1) You have mentioned a couple times data about Firefox and IE’s security vulnerabilities and patches. Could you explain what a security vulnerability constitutes in simple to understand terms? What exactly is vulnerable? Are these vulnerabilities constantly changing and being patched? At what rate?

A browser is a piece of software that interprets the languages of the internet and displays them in a way mere humans can understand. Clever coders can sometimes induce browsers to interpret a particular web language in a way that is harmful to you. For example, malicious code on a website may tell a browser to download and install a virus without telling you. Of course, browser companies (like Mozilla and Microsoft) usually try to eliminate these vulnerabilities when they are discovered.

Also, browsers can have important and well-travelled connections to a computer’s vital file systems (Internet Explorer 6 was famous for this). Imagine two paths into a file system, one of which is guarded by stern-looking toughs and another where old friends are waved through. Some badware programs have found that they can sometimes sneak in the second door if they hide under the cloak of an old friend of the guards.

As with all other security threats, browser vulnerabilities are constantly changing as attackers develop new techniques and defenders try to counter them. Each browser manufacturer patches vulnerabilities at different rates, and new threats pop up as the relative success rates of different techniques like phishing, trojans, keyloggers, viruses, and spyware shift.

2) I use Ad-Aware, Spybot, and Avast Anti-virus as you suggest. I was wondering what you recommend to do when problems are caught. There are usually options (though labeled differently) for Doing Nothing, Quarantining, Deleting, and Repairing. Are any of these options better than others, why or why not?

I like to repair infected files when possible and quarantine them when it’s not. Quarantining is, in my view, preferable to deleting for the same reason the death penalty is often eschewed in favour of a lengthy prison sentence: sometimes the prosecutor is wrong. Quarantining, like imprisoning, lets you correct mistakes when they happen, meaning you get back a file that is probably useful rather than dangerous.

3) I thought you might comment on social networking sites (Facebook, Myspace, etc.) security risks. I’ve heard in conversation with friends that quite a bit of private data can be gleaned off of what people decide to post on public sites. Is this true? What should people be able to post without compromising their security but still being able to participate in an online community?

Beyond the obvious (don’t post your SSN, etc.), there isn’t much I can say. Security and convenience almost always have to be traded against each other, and each person has to decide for herself where to start and end. If you really like sharing information on social networking sites, you might be better off protecting yourself by frequently monitoring your credit reports (the topic of an upcoming post), making sure your bank statements don’t have funny charges on them, and changing your passwords frequently.

4) I was specifically wondering about photographs and writing that you post in public spaces on the internet. Is their a security threat in these being stolen and used for monetary gains? Is it legal for people to take such information? When you post writing or photos is their any sort of laws that copyright what you post in your name? Does the website hosting you gain any ownership of the data?

Sure, people can take your photos and words and use them inappropriately, but it is illegal for them to do so in many countries. The US Copyright Office has a FAQ section on copyright that is worth reading. They say, “Copyright exists from the moment the work is created. You will have to register, however, if you wish to bring a lawsuit for infringement of a U.S. work.” I don’t think a web host gains any ownership over the data you store with them, but you may want to research this carefully if it’s important to you.

Read more about browsers,security arms race