Beware of Phishing Scams and How to Spot Them
I got an email that looked like it was from PayPal. But it was really from a fraudster of a phishing scam trying to steal my login and password.
"Phishing" is pronounced exactly like "fishing". The basic premise is that a fraudster sends out an fake email that poses as an legitimate popular online business. The fraudster tries to get you to click on a link that will take you to a copied phony website that looks like the business that you normally deal with. If you go to this fake site and type in your login and password, then the fraudster has gotten your password. If this has happened to you, immediate go to the real online business and login and change your password so that the fraudster can not access your account or your funds.
To avoid this, learn to spot fraudulant emails and never click on a link to enter your login. If you need to login, always go to the legitimate site yourself by typing in the URL in your browser and make sure you typed it correctly (or bookmark it). Always enter from the site's main home page.
Let's look at this in more detail...
1. The scam starts with the fraudster sending out a fake "phishing email". This email claims to be and looks like an legitimate online business. It even has a correct "From address" of the legitimate business. But don't let that fool you. The "From address" is easily forged.
Here the email poses as PayPal. But it may pose as eBay or some bank, etc. PayPal and eBay are perfectly fine legitimate companies to do business with. They are often used by fraudster simply because so many people have accounts with them.
The first suspicion that this is a fraudent email is that it did not address me by name. Legitimate email from legitimate company will address me by name in an email. Second, the email in which this email was sent to was not even my PayPal email. Or you may not even have a PayPal account.
Note that the fraudster is not specifically targetting you directly, they send out millions of these email every day. The email prey on your fear by claiming that someone else had logged into your account at another location and that you need to click on the link to perform a "security check".
Do not click on the link!
2. In fact, try not to even open the email. Because if you have images enabled on your email client, the fraudster will know that you have opened the email and know the this is a valid email which they can sell to other fraudster. If you want to determine for sure whether an email is a fraud or not. You can forward the email to firstname.lastname@example.org and they will tell you whether they sent it or not.
3. You do not have to do the following. But for demonstration, I take my email and I do a "File -> Save As" an HTML file on my desktop. But do not double-click on the file. Otherwise it will open in your browser and alert the fraudster that they got a valid email address. I open it in a text editor and see that although the visible link between the <a> tags looks like a real PayPal link destination. The href value shows that it is taking you to a totally different place entirely.
4. That link might take you to a site that look exactly like PayPal with a login and password box. Only that it is created by the fraudster and is not PayPal. If you typed your login and password into this fake site, the fraudster has gotten your login and can try to login to your PayPal account and extract funds. In this case, what you should do is to go to the real PayPal site by typing in https://www.paypal.com in the address bar of your browser. And immediately change your password. Then contact PayPal.
In fact, you should familarize yourself on how to change your password in PayPal. Often your account can be saved simply by being able to change the password and locking out the fraudster faster than the fraudster is able to reconfigure your account to extract funds.
5. Furthermore, the fake phishing site may popup a page asking you to verify your credit card and other information. Obviously, do not type this info in since those are the exact information that the fraudster is after. A real PayPal email will never ask for you password, your bank or financial information.
The moral of the story is never to login to a site where you had arrived by clicking on a link. Always login to your ligitimate online business by your own bookmarks or by typing in the URL yourself. Always watch the URL of your browser to see where links are taking you to.
Here is an example of what to look for in the real PayPal site before you start typing in your password.