Wednesday, April 11, 2012

Paypal Spoof: How I knew the Paypal email I recieved was fraudulent

I had a recent experience with email spoofing involving Paypal, and I would like to share how I recognized the email as spoofed and thus was fraudulent.

My wife was selling her Macbook. Like most Gen X/Y couples do, we posted her for sale Macbook on eBay, and other trading sites. Two days later, we received an email from someone with a yahoo account asking what the prices would be in US dollars, including shipment to Nigeria. He didn't give a name and he didn't leave a shipping address. We told him the price would be US $450, but that he will have to shoulder the shipping cost depending on the address, and his favored shipping method/company would be. He said he wants to transact via Paypal, and even offered to up the price to US $580 including shipping cost -- what generosity.

So that night, I sent  him an invoice from my Paypal account. 24 hours past and I received a notification claiming to have come from services@intl.paypal.com informing me that payment had been made. Careful examination reveals it was a spoofed/phishing email. He was bamboozling me!  Here's how I immediately knew it was fake (click the picture to enlarge):




1. The email address was spoofed. Email spoofing is when one attempts to hide the true email that was used. In an email header, the email address is shown as "My Display Name <my@email-address.com>"  Thus, in my supposed Paypal payment notification email the display name is "services@intl.paypal.com" which coincidentally is the email where correct Paypal notifications are sent with. The email address with which it was sent with (inside the "<>" characters) was customerservice@accountant.com (not a correct email for Paypal). BUT, when you reply to this email, you will have a reply to email address of "customer_agency@consultant.com! So which is which? Highly suspect indeed.

        The General Rule: Reputable websites have the same web name, email address, email address         display name, and any other name they have in the web. These companies go out their way to ensure they have a single name-presence in the internet. They pay money to buy all domain names relevant to their canonical (aka commonly used) name. Besides, search portals such as Google works best with consolidated domain names. It doesn't make sense for these websites to use any other name.

2. PENDING status?? As far as I know, there is no notification for a pending status in Paypal. I don't think there ever was. I admit though that I may be wrong, so I examined other fields as well.

3. Payment approved but not reflecting in Account until shipment tracking confirmation was sent? I was using Paypal for quite some time and I never saw that particular status. I don't think this status ever existed.

        The General Rule: When in doubt, open your Paypal account  and check the status directly there. Your paypal account should contain the correct status. Just to be sure, wait a few hours (sometimes they take time to update). In my case, I waited a day. But the status still remains "unpaid" and even "Overdue". This rule applies to all other web-based portals and payment tools. Don't click the link nor trust the email. Go directly to the payment portal website the old-fashioned way -- by typing the URL in the URL bar. That should be safe -- at least until the site itself was hacked or their domain name was hijacked.

3. Questions? Contact our customer center at customer_agency@consultant.com.  We discussed domain names in the first item. This is suspect. why wouldn't their customer center be customer_center@paypal.com?  But what really caught my eye was the fact that the original Paypal account never encouraged recipients to reply to their emails. They instruct Paypal account owners to login directly to their paypal accounts and check the status there. They tell Paypal users to instead use their online help center inside their Paypal accounts. In fact, they give you all other options to contact them but explicitly tell you not to reply to their emails. 

The General Rule: This is the golden rule when transacting online. Be familiar with how your online payment sites work! Be a killer for details. After all, its your money. If you're using your bank's online banking facility, ask the bank what normal notifications should look like. Be familiar with every detail on the email invoices and notifications. Ask your friends what their invoices and notificaitons would normally look like and check if yours is suspect. Most importantly, when in doubt -- do not transact online. 

I immediately forwarded this email to spoof@paypal.com and they replied a day later confirming my suspicions. I was glad I waited. Be careful with these kind of transactions because the supposed buyer harasses you via email demanding the shipment tracking details claiming they already paid. They know that the next 48 hours is crucial. If they don't close the con within 48 hours, chances are they will be caught. Thus in my case, the supposed buyer even threatened to report me to the FBI for allegedly defrauding him of US $580.00.

Detecting fraud is more akin to social skills rather than with one's technical skills -- and that is true when doing online transaction as it is true when transacting with people face-to-face. The fact that my supposed customer was overtly generous should have already made me suspect him. You can be generous with charities. You can be generous with family. But will you offer unsolicited generosity on a faceless online seller you didn't know? Also, him not telling us what his real name was a major red flag.

It takes great effort to lie. That's why we call cons artists. But lying in the internet is easier due to the faceless interaction. Then again, there are ways we to catch one fraudulent transaction over the internet. Even over the web, transactions are still personal. Follow your gut, have the sense that is common to all, study the person/company/website you are transacting with, be a sucker for details; and, when in doubt, don't.

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...