My husband recently received a pseudo-PayPal spoof e-mail very much
like the one you described. This one was loaded with lots of
graphics stolen from the PayPal site - it looked very slick and
professional and “real.” It, too, directed the recipient to a website
(which looked just like PayPal’s) and asked for such as
your SS#, your credit card number, and your PIN. (PayPal will never
ask for your PIN.)
If you’re working with a good firewall correctly configured, it
sometimes can be safe to at least look. Just make sure you’ve set the
firewall to deny any outbound identifying to be
transmitted. Zone Alarm is good this way. others may be too. If
you’re NOT working with such protection, it’s best to never even look
at these sites, especially if you use Internet Explorer. The new
firefox browser is a lot safer in this regard.
But anyway, looking closely at these phishing sites, one notices one
reason why so many of the features closely mimic a paypal page. The
reason is that most of the page is actually code copied from a paypal
page, and all of the little links to other features of paypal will
actually take you to that feature on paypal. Only the main page of
the phishing scheme is fake. You can see it by observing the URL
line in your browser. The link in the scam email which you clicked
looked like a paypal URL, but the real link it takes you to is not a
paypal site. most likely, it’s been rigged to look almost like
paypal, but a close look will show that while paypal’s sites start
with something like http://www.paypal.com/… with the dots after
that backslash being the details of where on the silte you’re going,
the fake ones will have something between the www and the paypal.
often it’s just a couple letters or numbers, and then a dot. That
little detail is the key. As the first item in the URL, THAT little
sequence is the address of the actual server. On paypal’s site, it’s
always the paypal server. The fakes may make it look almost the
same, but a close look at the URL line in your browser shows the
real address of the site. But click on any link, like privacy policy,
or other parts of the paypal site shown as links on the page, and
they indeed work, then showing you that they indeed are on the paypal
servers. All in all, the schemers/scammers do it VERY slickly. You
need to be very on your toes with such things.
The bottom line is simple. There are virtually NO merchants, banks,
or any services that give you any sort of account, that will ever
send you an email requesting that you update or give
them any verification, and that will also then give you a link in the
email. The very few times that such an email might get sent, it will
simply be a notification of some event in your account that requires
your attention. it will tell you the organization. It will assume
you know how to get there by typing in the URL yourself, or using
your bookmarks, or something. The difference is that then YOU go to
the organization. They don’t direct you. Any email that gives you a
link to click to take you where THEY direct, can be fooling you.
Remember that with HTML coding, a link you see to click is only a
label. The actual URL you’re clicking on is hidden in the code of the
HTML. This is to allow a link to be a text label, even if the link is
simply a numeric URL or other long stuff. The URL shown in your
browser window is accurate, but sometimes these take careful reading
to be sure of where you are. And remember too, that with Java script
and other such methods, a page can, without your direct knowledge,
communicate with the remote site. Windows continues to be full of
holes that, no matter how fast microsoft plugs them, allows HTML
pages to potentially transmit sensative info, or accept cookies and
other programs that then run on your computer. Spyware, viruses, data
loggers, and all those nasties, seldom if ever announce their
arrival, but in general, they get to your computer when you go to the
site that’s distributing them… Once you go to a site, even if you
don’t fill in the forms, if you’re not behind a good firewall, and
it’s not set correctly, you can have given the bad guys what they
want. So be careful. Screen your email carefully before replying or
clicking on anything in an email, even if you think you know who it’s
from and what it is. The bad guys have many legitimate email
addresses too, including, for example, a couple of mine. Some folks
get email messages with my email address as the from address, which
contain virus infections and the like. Trust me. I didn’t send these,
and neither did my computer. People who don’t carefully screen their
email could be fooled.
One trick that will help with email, by the way, is to use an email
program that does not have the ability to directly run any code.
Generally this means turning off the ability to read HTML formatted
email, or using an email client that does not have HTML capability
built in. It’s one of the main reasons I use 46orte Agent as my mail
reader. When I get an email in HTML code, I dont’ see the formatted
page. I see either a little icon showing me that it’s an HTML page,
and to read it I have to click it, or I can alternatively look at the
raw message, the actual text of the HTML page (the code). Either
way, this is safe to do. Nothing runs, nothing gets loaded, nothing
can infect. I can look at suspect email headers to see who it’s from
(not the “from” header. The real headers along with it). Or I can
look at the HTML code to see what the message might be about. You
know, the interesting thing about this is that only two types of
messages seem to come in only HTML form. Most legitimate emails
from individuals come in either plain text (which is safe to read),
or in dual format, so that there is the HTML portion represented by
that icon, but then a plain text version, so I can know what the
thing is about. The only things I’ve seen that commonly come as ONLY
HTML are spams, nasty stuff like virus infected messages and a few
newsletters from organizations who’s online publications need the
graphic capabilities of HTML. And there are not many of those.
Agent will, of course, still not prevent you from getting into
trouble. You can still click a URL and go somewhere you should not,
from a nasty phishing email. But you have to make the error in
judgement. Nothing is automatic. Take the time to know what you’re
replying to before doing so, and you stay safe.
cheers
Peter Rowe