Recently I received an email that was “From” Paypal. I will walk you through the phish and point out a few things that you should be aware of while you are opening emails that are requesting your personal information.
Before we get started the first thing to note is that PayPal (among other large companies like Amazon) implemented DMARC a while ago it will be nearly impossible if not completely impossible for anyone to spoof (fake) and email from PayPal. DMARC is an email validation system designed to detect and block email spoofing. It looks at some technical stuff about an email that most of the time a regular person never sees, or knows anything about. Trust me DMARC is a good thing!
Here is a screen shot of my junk email’s inbox (pro tip: have 2 email accounts one for signing up for stuff, and one for communication)
Looks legit doesn’t it? Sure looks like it says it is from firstname.lastname@example.org
Right away notice the subject line: YOUR PAYPAL ACCOUNT IS LOCKED!!!! OH NO!!! LIFE IS RUINED. YOU BETTER OPEN THE MESSAGE RIGHT AWAY.
There is always some sort of call to IMMEDIATE action that phishing emails have in them. This one grabs you right up front in the subject line.
Once in the message it looks really good.
Note that even though it said email@example.com the <firstname.lastname@example.org> called out with the #1 arrow is a good indication that it’s a fake.
#2 shows how good the branding of the email is. #3 show a minor typing error where the W is capitalized and #4 the punctuation and readability of the message isn’t great. In most cases Paypal, nor any other large company, would not let a message go out that wasn’t better grammatically.
yea, I better click that Resolve It Now button as soon as I can to rescue my Paypal account!
#1 clearly says “not secure” Just about every website on the planet that exchanges user names and passwords will be SECURE. Click here to see how you can tell.
#2 that url just doesn’t look right. Why wouldn’t it say paypal.com? Oh yea…. because it’s not!
#3 there is that nice looking branding again.
Let’s “log in”
#1 Sweet branding again #2 There is that call to action again #3 wow is that account number legit? nah… #4 more branding coolness
But I better click Continue or my Paypal account is never going to get unlocked!
Still looks super legit. Branding, Secured & Certificate by logs, and damn it shows my “account” is limited! I better get my information in there.
Wow I really need to get my credit card information updated in there!
more really cool branding and heck it says “Verified by VISA” so it must be ok to put in there.
Whew now that that is done I can submit this information so I can get my paypal account unlocked.
Here is another REALLY slick item. After you click submit it sends you to the ACTUAL paypal.com website so you can login and magically see that your account is all better now.
In my opinion this is a really good phish. There are a number of things pointed out here that I hope you will remember when you see one of these in your inbox!
Please take some time to “like” us on Facebook.