I’m generally surprised when I hear the number of people that fall for Phishing scams. I mean really, do that many people really think that some corrupt official in some remote country is going to send them millions of dollars? Less obvious are the ones that try to spoof your bank site or some other institution. Well, I got one today that I almost fell for.
The email came from ‘mail@online-paypal.com’ – which should have been a dead give-away right there. The subject was ‘(1 new message).’ The body of the message implied that someone had tried to process a charge against my paypal account, but that the transaction was on hold because it was initiated from a foreign IP address. There was a link to cancel the transaction. Of course, my first impression was “Ahah! Somebody is trying to steal from my account! Well, I’ll just hit this handy little ‘cancel’ button and put a stop to that!”
I don’t know where the button would have taken me, because at the last moment it dawned on me that paypal doesn’t generally send links in their emails. Upon close examination I realized the button didn’t link to a paypal domain at all. I forwarded the email to spoof@email.com, who did indeed confirm that it was a spoof.
The text of the email is as follows (link removed for safety):-
You have initiated a payment for $22.00 USD to info@servage.net.-
Payment details
Amount: $22.00 USD
Transaction ID: 5H633774LW536779QBecause the payment was made from an foreign ip address, we put the transaction on hold.
To cancel this payment, click here. (this phony link went to pllthdpsec17.com)Please do not reply to this email.
Email Id: DQ 532 XYONXVVQNMMBWRYWHDULWPGVMVRHOHKYGMIVJY
Hopefully, nobody else is dumb enough to fall for it, like I almost did.
{ 1 comment… read it below or add one }
Christopher 08.27.09 at 12:31 am
There are some very well designed phishing emails out there, a majority of them are blatantly obvious though. The first thing I do in any email is hover the link and see the domain name if there is any question about the email. I also look at the from address, although this is easily spoofed I use it to verify it isn’t an authentic address rather than confirming it is. 99% of the phishing emails we receive the email address is not an authentic domain so it is very easy to narrow that down immediately.
In the example you mentioned, the email address was mail@online-paypal.com which should have been a dead give away. Although it ends with paypal.com to fool many users the real domain includes everything up to the @ sign unless it is a sub-domain. So I may have reported the email immediately upon seeing online-paypal.com as a domain name, or it may have been once I hovered over the link and saw it was not .paypal.com, it really depends where I am looking the second I check the email.
Typically even the best phishing emails only take me about .5 – 1 second to identify if it is phishing or authentic using the email domain and hovering the link, rarely do I need to go further than this.
To be honest, I rarely click any link anywhere (email or browser) without first seeing where it goes to by looking at the hover information.
Anyway, I’m glad nothing happened and you caught it before clicking ahead. The moment I see a link in an email (regardless of who sends it) my defenses go up and I act cautiously checking things.