Beware This e-Mail Scam (Asking For Your PayPal Pin #)

e-Mail | June 8, 2003 | PJ-Comix

[PJ-Comix]

I got this e-mail supposedly from PayPal this morning. Take a look. It certainly looks legit but when you think about it why would PayPal need to send out an e-mail asking for your pin # to find out if you are still an active member? They know who are active or inactive simply because they can detect when you log in. Plus why would they even need your pin # at all? They could just ask you to log in to your PayPal account and that would determine if you are active.

Anyway, let this be a PSA and a warning to all of you out there to beware of this obvious scam. I sure hope they catch the CREEP perpetrating this.

-------------------------------------

Sent: Sunday, June 08, 2003 3:52 AM

Subject: Important Information Regarding Your PayPal Account

Dear PayPal Customer

 

This e-mail is the notification of recent innovations taken by PayPal to detect inactive customers and non-functioning mailboxes.

The inactive customers are subject to restriction and removal in the next 3 months.

Please confirm your email address and Credit or Check Card information using the form below:

 

Email Address:
Password:
First Name:
Last Name:
ZIP:
Credit or Check Card #:
Expiration Date:	/
ATM PIN:

Information transmitted using 128bit SSL encryption.

 

Thanks for using PayPal!

This PayPal notification was sent to this email address because you are a Web Accept user and chose to receive the PayPal Periodical newsletter and Product Updates. To modify your notification preferences, go to https://www.paypal.com/PREFS-NOTI and log in to your account. Changes may take several days to be reflected in our mailings. Replies to this email will not be processed. 

Copyright© 2003 PayPal Inc. All rights reserved. Designated trademarks and brands are the property of their respective owners.

[PJ-Comix]

Anybody else out there get this e-mail supposedly from PayPal? This reminds me of a sophisticated version of the Nigerian e-mail scam.

[Coroner]

I got this same one about 4 weeks ago. I was suspicious of it also.

[goldstategop]

Yup. I've gotten such e-mail. I don't think Paypal would send a message to consumers asking them to send credit card and other info over the Internet through unsecured e-mail. They'd have such customers verify their accounts at the site. It looks like a scam and all such e-mail should be forwarded to Paypal's Customer Service for investigation and enforcement action.

[Alouette]

Paypal Scam on Snopes

Claim:   As part of regular security maintenance, Paypal needs you to resubmit your credit card and bank account information.

Status:   False.

Example:   [Collected on the Internet, 2003]

Dear PayPal Customer

PayPal is currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and placed on Limited Access status. Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.

To restore your account to its regular status, you must confirm your email address by logging in to your PayPal account using the form below:

Email Address:
Password:
Bank Account
Enter Bank Account #:
Credit Card
Enter Credit Card #:
Exp. date	/
This notification expires March 31, 2003

Thanks for using PayPal!

This PayPal notification was sent to your mailbox. Your PayPal account is set up to receive the PayPal Periodical newsletter and product updates when you create your account. To modify your notification preferences and unsubscribe, go to https://www.paypal.com/PREFS-NOTI and log in to your account. Changes to your preferences may take several days to be reflected in our mailings. Replies to this email will not be processed.

If you previously asked to be excluded from Providian product offerings and solicitations, they apologize for this e-mail. Every effort was made to ensure that you were excluded from this e-mail. If you do not wish to receive promotional e-mail from Providian, go to http://removeme.providian.com/.

Copyright© 2002 PayPal Inc. All rights reserved. Designated trademarks and brands are the property of their respective owners.

Origins:   At least since the summer of 2002, PayPal and eBay customers have been plagued by "phantom e-mails" that require them to provide their credit card and bank account numbers to restore their accounts to fully operational status. Don't be fooled -- those "phantoms" do not originate with either PayPal or eBay; they are the creation of thieves intent upon harvesting bank account and credit card numbers from the unwary.

The one showcased above first appeared in inboxes in March 2003. Although some elements of the form are genuine (the little blue PayPal symbol links to paypal.com, for example), information entered into the data boxes does not get sent to the online banking house; it is instead routed to an e-mail address in Russia.

Earlier versions ran the con in a slightly different way: Official-looking e-mails informed users their accounts had been flagged for fraud investigation and provided a hot link to a special PayPal web page where they could fill in the blanks -- name, address, credit card number -- necessary to reinstate their account status. Those earlier hot link manifestations would momentarily connect the about-to-be-defrauded to PayPal's home page before switching to a counterfeit verification page housed on an entirely different site.

Both eBay and PayPal (eBay bought out PayPal in 2002) swear they never ask for personally identifiable information via e-mail., and both have stopped including web site hot links in messages to members. Ergo, if you get an e-mail "from" one of these entities asking you for credit card or banking account number, it's not the real thing.

This form of theft is not new, even if the techniques now be used to accomplish it (CGI scripts and hot links) are. The same basic con has been used for a very long time and has flourished in numerous less techno-terrific ways -- it's all about getting potential victims to hand over their banking and credit information, a objective the con artist accomplishes by masquerading as a bona fide representative of a reputable and trusted organization which would have reason to ask for that information. In the non-cyber world the unwary have been duped into providing such sensitive financial details via fake IRS forms which appeared to have been issued by the victims' own banks. (The victims would fax the completed forms to the fraudster, thinking they were filing them with the Internal Revenue Service.) An even less technology-driven scam requires nothing more than a telephone and the local phone book: the defrauder skims the white pages for people who live near a particular bank and calls them, presenting himself as an employee of that financial institution who needs to confirm their account information. Because people tend to patronize the bank closest to where they live, the thief will encounter very few responses of "No, you've got the wrong Molly Brown -- I don't have an account there." We tend to accept the way people present themselves at face value, so only a handful of us think to question someone who greets us by name, identifies himself as working at our bank and informs us there is something wrong with our bank accounts. His straightforward request that we read off the account numbers from our checks will all too often net him the information he seeks; only long afterwards (if at all) do we stop to wonder why, if he had our names and phone numbers, he didn't have the details of our accounts at his fingertips as well.

Scams that trick the gullible into revealing private information by having them "confirm" details presumably already in the possession of the one doing the asking fall under the broad heading of "social engineering," a fancy term for getting people to part with key pieces of information simply by talking to them. The wary consumer's best defense to such maneuvers is a zipped lip (or, in the online world, an untapped keyboard). Protect yourself by volunteering nothing, even if you feel somewhat pressured by the one doing the inquiring. If someone on the telephone asks you to read off your checking account number for "verification," ask him instead to recite it to you from his records. If you get an e-mail announcing something dire has befallen one of your on-line accounts and requiring you to re-enter sensitive personal data to get things back on track, do not reply to it, and do not fill out any forms that accompany it or click through any hot links it provides. Instead, contact that service through its web site and ask them about the e-mail.

The con artists are getting more sophisticated all the time, so do not be too quick to mistake the appearance of legitimacy with legitimacy itself. Just because an e-mail looks like it comes from an entity you do business with doesn't mean it's genuine, and just because you're being directed to a web page that looks like that entity's home page doesn't mean you're not being sent somewhere else. Beware the wolf in sheep's clothing lest you end up his dinner.

Barbara "on the lamb" Mikkelson

Last updated:   15 March 2003

[PJ-Comix]

I posted it here because if it keeps just one Freeper from having his PayPal account from getting cleaned out by that creep who is perpetrating this fraud then it is worth the effort. Why can't they track down the JERK sending out these e-mails? Obviously he is sending out Hundreds of Thousands of such fraudulten e-mails.

[proxy_user]

These are all scams. You should forward them to spoof@ebay.com. Be sure that the 'fw' keyword is in the header. Ebay (the owner of Paypal) will shut down the bogus site.

[BCrago66]

I'd also forward it to (if you have the time):

1 - Your own state attorney general.

The FBI - as these e-mails are sent accross state lines, making the crime subject to federal jurisdiction.

[PJ-Comix]

The con artists are getting more sophisticated all the time, so do not be too quick to mistake the appearance of legitimacy with legitimacy itself.

The frightening thing is that the e-mail looked completely legit. This scam is probably much more effective than those Nigerian e-mail scams.

[PJ-Comix]

The FBI - as these e-mails are sent accross state lines, making the crime subject to federal jurisdiction.

Most likely this scam originates offshore. (Nigeria?)

[visualops]

As a PayPal member I can tell you they couldn't care less how "active" you are. They are not going to "deactivate" anyone. Also, if they require anything from you, you must log in and take care of it on site.
After you log in, you can go to their "Security Center" and get tips for buyers, sellers, and just general stuff.

From PayPal:

Protection Policies

How do I report a fake PayPal email or website?

If you received what you believe is a fake PayPal email, or if you came across a spoof PayPal website, contact our Customer Service team. Your tips help make online transactions more secure for everyone, and we thank you for letting us know about any unusual activities.

[Future Snake Eater]

The frightening thing is that the e-mail looked completely legit. This scam is probably much more effective than those Nigerian e-mail scams.

Maybe, but you'd truly have to have a few screws loose to send out that kind of information over unsecured e-mail.

[Alouette]

The frightening thing is that the e-mail looked completely legit.

You think that's bad? I got an invoice IN SNAIL MAIL saying that my domain name was about to expire, and that I should send them a check or credit card # to renew my domain name before someone else claims it.

Since all my domain names are all registered through 2008, I called Network Solutions to ask what's up with this invoice? They told me it was not from them, it's a scam, toss it. But how many small businesses, seeing this, will just write a check? Scary thought.

[BCrago66]

True - oh well, all one can do is hope for a stupid criminal.

[PJ-Comix]

Maybe, but you'd truly have to have a few screws loose to send out that kind of information over unsecured e-mail.

I guarantee that a lot of elderly people did just that.

[Future Snake Eater]

I guarantee that a lot of elderly people did just that.

I bet you're right, sadly. My girlfriend's elderly father fell for one of the Nigerian scams. Too willing to help, too gullible? Who knows, but these scammers need to be shot either way.

[mass55th]

I've got these types of emails from both eBay and PayPal. I just send them to the trash. I've tried forwarding them to both businesses, but apparently they'd already been told about them, or they could care less as I've never gotten any replies.

[DonQ]

To be nitpicky, I don't see this as a variant of the Nigerian scam, but it seems like a distant cousin of the very Bank Examiner scam or a few others I've heard about.

I got such a fake PayPal email about a month ago, but ignored it because, quite frankly, I've used PayPal only once, about a year ago, and I had completely forgotten my PIN, and since I recalled that setting up that PayPal account was unspeakably easy when I needed it, I wouldn't mind having to set up another account if I ever needed them again in the future.

A different email con I have gotten lately and repeatedly is an email purporting to be from MicroSoft and telling me there's some kind of glitch in the MS Internet Explorer but all I have to do is click on this link, set out in the email, and I will download the latest patch for it. But the return URL for these emails (I much have gotten about ten copies, each from a different email return address) is NEVER the MicroSoft company! This makes me think that this is some scam to get me to download a virus or spyware. If I ever wanted a new patch I would go straight to the Official MicroSoft website (if it wasn't already a bookmark, I'd find it with a search engine) and download it straight from there. The same goes for any other purported updates to anybody's software.

[Izzy Dunne]

This scam is probably much more effective than those Nigerian e-mail scams.

I get two or three of the Nigerian things per month (I have a publicly available e-dress on my company web site).

But here's a new one (to me, anyway):

Attention: _____ _____   (my real name) .

From: Mrs. Esther Williams.

I am Mrs. Esther Williams person from Malaysia undergoing medical
treatment. I am married to Dr. Alan George Williams who worked with
Malaysia embassy in South Africa for nine years before he died in the year 2000.

We were married for eleven years without a child. He died after a
brief illness that lasted for only four days. Before his death we were both
born again Christians. Since his death I decided not to re-marry or get a
child outside my matrimonial home which the Bible is against. When my
late husband was alive he deposited the sum of $27.6Million (twenty-
seven Million six hundred thousand U.S. Dollars) with one finance/
security company in Europe.

Presently, this money is still with the Security Company. Recently, my
Doctor told me that I would not last for the next three months due to
cancer problem. Though what disturbs me most is my stroke. Having
known my condition I decided to donate this fund to church or better
still a Christian individual that will utilize this money the way I am going
to instruct here in.

I want a church or individual that will use this to fund churches,
orphanages and widows propagating the word of God and to ensure that
the house of God is maintained. The Bible made us to understand that
blessed is the hand that giveth.

I took this decision because I don't have any child that will inherit this
money and my husband relatives are not Christians and I don't want my
husband's hard earned money to be misused by unbelievers. I don't want   
situation where this money will be used in an ungodly manner, hence
the reason for taking this bold decision. I am not afraid of death hence I
know where I am going. I know that I am going to be in the bossom.

If you will be of assistance, I will surely appreciate and thank you
for your kindness in giving me this help.

Thank you

Yours sincerely,

Mrs. Esther Williams.

---- One wonders how a "born-again Christian" "embassy worker" gets 27 million to deposit in 9 years, but apparently I'm supposed to feel sorry for her and greedy at the same time.
I don't know exactly what would happen next, but I strongly suspect it ain't legit.

[proxy_user]

If you follow my instructions is post #6 exactly, you will get a reply, or, to be precise, an automated reply followed several hours later by a real reply.

[The Brush]

This scam is probably much more effective than those Nigerian e-mail scams.

You mean those aren't legit?!?!?!
I put all my money on nothing because nothing lasts FOREVER!!