Bogus PayPal Account Messages
We've noted a couple scams in the past involving bogus e-mail messages. Though the scam is not new, Wired News is reporting that PayPal users in particular have been barraged by a flurry of illegitimate messages. Some messages even come complete with various, sundry viruses.
Scams of this sort involve messages which are purportedly from a legitimate authority such as Bank of America or eBay. The messages either directly ask for sensitive, personal information or link a site which does. The request often comes under the guise of logging into your account or updating an expired credit card number.
PayPal customers have endured quite a few of these attacks in the past -- and several in the past few weeks. The new attacks, however, all seem to be related, using e-mail attachments to gain access to the user's information. Ostensibly, the user opens the attachment of their own volition, thereby exposing their computer to hackers.
Fortunately, however, these charlatans can't spell. That should be your first tip that these messages aren't legitimate. Of course, by that rubric, you could safely ignore just about every article we've ever posted. :)
Your second tip should be that, as a general rule, businesses do not send attachments unannounced. In other words, it's very unlikely that you'll receive a message from a company like PayPal with an attachment. If you do, then contact somebody at the company to verify the validity and purpose of the attachment.
There are exceptions, of course. You may request a file from a business, or a support person may send you a file during the course of troubleshooting a problem. However, in most of these cases, you know that the file is coming and have an idea of what that file will contain.
As always, keep in mind your starting point, your source of authority. If you receive a suspicious message, don't reply to the message. Don't click the links in that message. If the message is not legitimate, then don't count on any part of that message to be legitimate.
Instead, start with what you know. Open up your Web browser as you normally would to surf the Web. In the "address" bar across the top of your Web browser, type the address of the company who supposedly sent the message. In this case, you would type "paypal.com" to go to PayPal's site.
If you don't know the Web address, then start with your preferred search engine. Type the name of the company in the search field and click the "search" button. Again, in this case, you would just type "PayPal."
Once you've reached the Web site, then you can start investigating. Contact a customer service representative through the channels provided. If you have an account with the company in question, log into your account and see if there's any news for you, something that verifies or disproves the legitimacy of the message in question.
When in doubt, don't trust the message. If you don't hear back from the company's customer service representative in a timely manner (and PayPal is notoriously bad for this), just delete the message. Keep in mind that the more urgent the message sounds, the less likely it is that it's real.
When it comes to security, don't ever assume that no news is good news. Scammers and hackers rely on assumptions when executing social engineering attacks. That's exactly what this is: a social engineering attack. They are not exploiting a bug in a program: they are leveraging our own preconceptions against us.