I received an email to my personal outlook account today that appeared to be from PayPal alerting me to suspicious transactions on my account.
At first glance the email seemed genuine. The sender address did not look suspicious and the email was formatted as you would expect from a service provider. Aside from a few giveaways that an unsuspecting individual might overlook the email looked genuine.
The email subject line was simply ‘Your PayPal transaction is under review’. Having not used PayPal for some time my initial thought was that my PayPal account had been hacked and that somebody was spending money on my account.
Upon reading the full email it became apparent that this is exactly what the sender wanted me to think. The transaction details were outlined and it appeared as though a small amount of money had been paid to an individual’ and due to the suspicious location of the transaction, PayPal were withholding the funds until I could confirm that this was a genuine transaction.
The email proceeded to say ‘If you think that your account might have been hijacked complete the required form in order to cancel the transaction’. The word ‘form’ was hyperlinked. Having not clicked on the link I can’t be 100% sure where it would have taken me but my guess is it would have taken me to a website that was cleverly crafted to look like the legitimate PayPal website. This is the perfect example of a hacker using a phishing email to entice an unsuspecting user to click on a link to a fraudulent website in an effort to obtain personal details. The form would have no doubt asked for either basic account details including username, email address, password or answers to predetermined security questions. When personal details like this are stolen, there is a relatively well known process that is then followed to check whether that password works on all the common websites and, without any difficulty at all, a person’s identity has been stolen and typically illegal purchases are then made.
The biggest giveaway here is the fact that service providers very rarely ask you to input your account details off the back of an unsolicited email. If there is suspect activity on your account they will more often than not provide you with a number to contact then directly and a representative will then take you through the generic security protocol before helping you resolve the issue. If you do receive an email like this, avoid clicking any links in the email. Best practice would be to find a customer support number online directly from the service provider's website rather than ringing the number off the email. The person you speak to will be able to confirm whether the email is real, if the number provided is legitimate and if an issue actually exists with your account.
Have you ever been the victim of a phishing scam? Would you know the signs? Leave a comment in the box below.