I'm Gonna Getcha, Sucka!

Somebody came phishing in our pond here at Geek Central.    I received an email from someone who claimed to be from PayPal Customer Service and Support.  There was a return address on it and everything.  The email started with the salutation to "Dear PayPal Services User".

It was a long email, announcing that PayPal had rewritten "over 60" policies and replaced them with just two, which were shorter and easier to read.  They asked me to download an attached file and .. well, here's the pertinent text:

- How can I read and accept the PayPal policies ?

It's easy:
1. Download the new policies attached to this email.
2. Confirm that you're the owner of the account.
3. Read and accept the Privacy Policy and Merchant Services Agreement by clicking the "I Accept" button.

Please note:
You have to read and accept our new policies within the next 10 working days, however, if you don't comply to accept our new policies, we (PayPal Inc.) will be forced to terminate your account.

[I underlined the part that was the 'kicker' .... it was an attempt to induce me to comply using fear tactics.)

The email had an attached file, which I did NOT open!

Instead, I went to the PAYPAL website, found the page on "SECURITY CONSIDERATIONS", and forwarded the entire message including the attachment to spoof@paypal.com

Later, I received the following message from PAYPAL:

Thanks for forwarding that suspicious-looking email. You're right - it was a phishing attempt, and we're working on stopping the fraud. By reporting the problem, you've made a difference!
Identity thieves try to trick you into revealing your password or other ersonal information through phishing emails and fake websites. To learn more about online safety, click "Security Center" on any PayPal webpage.
Every email counts. When you forward suspicious-looking emails to spoof@paypal.com, you help keep yourself and others safe from identity theft.
Your account security is very important to us, so we appreciate your extra effort.

Four things alerted me to this obvious phishing expedition:

1. The salutation ... if a vendor sends me 'official' email, they use the identity with which I had subscribed to their service.   They don't use some generic salutation.
2. The technique; Download a file to read the policy?   And how would I confirm that I had read it?   It's just bogus ... any legitimate vendor would have a webpage on their official (and Safe/Secure) website.
3. The threat .... no legitimate vendor would cancel a subscription because their customer didn't reply to an email.  Suspend an account, perhaps, under special circumstances.
4. The address .... I DO have a PayPal account, but it's not related to the email account to which this email was sent.  In fact, none of my business accounts reference any of my 'public' email accounts.

So no, I didn't open the attachement.  As soon as I received the confirmation from PayPal, I permanently deleted the original email and the attachment.  They were already in limbo, because the FIRST thing I did was to mark it as S*P*A*H*M (deliberately misspelled) because the domain name was obviously bogus.

Companies like PayPal and EBay all have these kind of security concerns.   But we have to do our part, too.   If YOU ever get an email that you think may be bogus, the first thing to do is to not click on any links, and not open any attachments.  Not all email providers have protocols as safe as they should be, and Microsoft Outlook is just the most obvious example of software which may open files without instructions, if you don't have the highest level of security settings activated.

In the meantime, I'm feeling just a little smug tonite.  Instead of them getting me, I got them!