Claim: As part of regular security maintenance, Paypal needs you to resubmit your credit card and bank account information.
Example: [Collected on the Internet, 2003]
Origins: At least since the summer of 2002, PayPal and eBay customers have been plagued by “phantom e-mails” that require them to provide their credit card and bank account numbers to restore their accounts to fully operational status. Don’t be fooled — those “phantoms” do not originate with either PayPal or eBay; they are the creation of thieves intent upon harvesting bank account and credit card numbers from the
The one showcased above first appeared in inboxes in March 2003. Although some elements of the form are genuine (the little blue PayPal symbol links to paypal.com, for example), information entered into the data boxes does not get sent to the online banking house; it is instead routed to an e-mail address in Russia.
Earlier versions ran the con in a slightly different way: Official-looking e-mails informed users their accounts had been flagged for fraud investigation and provided a hot link to a special PayPal web page where they could fill in the blanks — name, address, credit card number — necessary to reinstate their account status. Those earlier hot link manifestations would momentarily connect the about-to-be-defrauded to PayPal’s home page before switching to a counterfeit verification page housed on an entirely different site.
Both eBay and PayPal (eBay bought out PayPal in 2002) swear they never ask for personally identifiable information via e-mail., and both have stopped including web site hot links in messages to members. Ergo, if you get an e-mail “from” one of these entities asking you for credit card or banking account number, it’s not the real thing.
This form of theft is not new, even if the techniques now be used to accomplish it (CGI scripts and hot links) are. The same basic con has been used for a very long time and has flourished in numerous less techno-terrific ways — it’s all about getting potential victims to hand over their banking and credit information, a objective the con artist accomplishes by masquerading as a bona fide representative of a reputable and trusted organization which would have reason to ask for that information. In the non-cyber world the unwary have been duped into providing such sensitive financial details via fake IRS forms which appeared to have been issued by the victims’ own banks. (The victims would fax the completed forms to the fraudster, thinking they were filing them with the Internal Revenue Service.) An even less technology-driven scam requires nothing more than a telephone and the local phone book: the defrauder skims the white pages for people who live near a particular bank and calls them, presenting himself as an employee of that financial institution who needs to confirm their account information. Because people tend to patronize the bank closest to where they live, the thief will encounter very few responses of “No, you’ve got the wrong Molly Brown — I don’t have an account there.” We tend to accept the way people present themselves at face value, so only a handful of us think to question someone who greets us by name, identifies himself as working at our bank and informs us there is something wrong with our bank accounts. His straightforward request that we read off the account numbers from our checks will all too often net him the information he seeks; only long afterwards (if at all) do we stop to wonder why, if he had our names and phone numbers, he didn’t have the details of our accounts at his fingertips as well.
Scams that trick the gullible into revealing private information by having them “confirm” details presumably already in the possession of the one doing the asking fall under the broad heading of “social engineering,” a fancy term for getting people to part with key pieces of information simply by talking to them. The wary consumer’s best defense to such maneuvers is a zipped lip (or, in the online world, an untapped keyboard). Protect yourself by volunteering nothing, even if you feel somewhat pressured by the one doing the inquiring. If someone on the telephone asks you to read off your checking account number for “verification,” ask him instead to recite it to you from his records. If you get an e-mail announcing something dire has befallen one of your on-line accounts and requiring you to re-enter sensitive personal data to get things back on track, do not reply to it, and do not fill out any forms that accompany it or click through any hot links it provides. Instead, contact that service through its web site and ask them about the e-mail.
The con artists are getting more sophisticated all the time, so do not be too quick to mistake the appearance of legitimacy with legitimacy itself. Just because an e-mail looks like it comes from an entity you do business with doesn’t mean it’s genuine, and just because you’re being directed to a web page that looks like that entity’s home page doesn’t mean you’re not being sent somewhere else. Beware the wolf in sheep’s clothing lest you end up his dinner.
Barbara “on the lamb” Mikkelson
Last updated: 7 January 2008
Oldenburg, Don. “Subtle Scams in Online Payment.”
The Washington Post. 25 February 2003 (p. C10).