Directive Blogs
Spam: The Art of Deception
If you use email, you've probably seen spam. If you think we're talking about a canned meat product, and are wondering how it relates to email, then we envy you. For everyone else, saying your inbox probably has a little spam is a dramatic understatement. Spam comes in several different flavors; ranging to inappropriate solicitations to unwanted gibberish to carefully coordinated scams. We're going to go over one of these tricky spoofs that is known to fool users.
I have a PayPal account, although I received this email at an address that is not tied to my PayPal account. My mail client flagged it as Spam, but depending on your junk mail protection, something like this could slip through.
The email from first glance looks pretty legit. It even says the email was sent from help@paypal.com. The email appears helpful, as its purpose is to inform me that my account was limited and help me get it fixed. Sounds great, right? If my email client didn't stick that big red warning at the top, it wouldn't difficult to believe this is real.
I'm going to go a step further and check out this attachment.
DISCLAIMER: You really shouldn't ever download an attachment if you don't know exactly what it is. At Directive, we are professionals, download unfamiliar email attachments at your own risk.
Just the fact that the form was an attachment (they don't have a place for me to go on the PayPal site to fill out this form?) is a HUGE indicator that something is wrong here. This doesn't mean if they have a link to click on instead of an attachment that you are in the clear. It isn't difficult to put together a webpage that looks exactly like PayPal (or any other site) and trick people into filling out the form, sending all of that private data to the spammer.
That's exactly what we have here:
We have a form that looks like it could be taken right off the PayPal site. In fact, it probably is.
Here's the difference: Hitting Submit won't send my info to PayPal. Instead, some complete stranger will get all of that data: Bank account, PayPal account, Credit Card numbers; the whole list gets stolen.
This tricks users all the time. Here are a couple quick ways to tell if something is legit:
Know the companies and sites you have accounts for. If you get an email that says your PayPal account has an issue, log into PayPal and check. DO NOT log into PayPal by clicking on any links or downloading attachments in the email; just go to the website and log in directly.
If you do click on a link from an email, look in your address bar to make sure it is going to a domain that makes sense. If it sends you to an IP address instead of a domain, or to a domain that doesn't make sense, do NOT fill out any information. Go to the website in question (http://www.paypal.com in this case) and look at your account from there.
Employ a good anti-spam solution. This will greatly reduce the amount of time you waste cleaning up your inbox and protect you from email scams.
If you suspect spammers have gotten your personal data, contact us at Directive immediately.