Back to previous post: Found art

Go to Making Light's front page.

Forward to next post: Harry Warner Jr.

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

March 17, 2003

PayPal scam
Posted by Teresa at 03:50 PM *

Kent Brewster, proprietor of Speculations, has flagged a well-constructed scam letter that claims to be from PayPal. It says PayPal is doing maintenance on their security measures, in pursuit of which they want you to send them your e-mail address and password, the location and account number of your bank account, and your credit card’s number and expiration date. Needless to say, this is A Bad Idea

It’s a plausible-sounding little letter. It uses PayPal code and graphic images, and links to PayPal’s own front page. The boilerplate at the bottom of the letter about how you can unsubscribe from PayPal or from Providian’s mailing list also links to those real pages. (via Jim Macdonald)

Speculations is an online magazine and bulletin board for aspiring writers, so it seems appropriate that what first tipped Kent off about the letter was that its subject line didn’t sound quite like PayPal’s usual style. (via Jim Macdonald)

Comments on PayPal scam:
#1 ::: chuqui ::: (view all by) ::: March 17, 2003, 05:37 PM:

A new variant of one that's been wandering around for a bit. quite slick. the one I got sent was from eBay, but basically the same pimp (mine arrived january 19)

#2 ::: Beth ::: (view all by) ::: March 17, 2003, 05:39 PM:

Is there a missing close-italics tag in your post, or am I just seeing italics everywhere?

#3 ::: Erik V. Olson ::: (view all by) ::: March 17, 2003, 05:45 PM:

IF you learn nothing else for the rest of your life, learn this.

Never, ever, ever, (...) EVER send the following information in response to an "official" email -- or, for that matter, a phone call.

1) Address.
2) Social Security/Taxpayer ID numbers
3) Credit Card Numbers. Esp. that one on the back that isn't encoded on the magstripe.
4) Passwords to anything.
5) Bank Account info. For Ghugle's sake. At least with Credit, you have a strong challenge available to you, and you're not liable for the money until it's resolved. Which would you rather do? Argue about the bill and not pay it, or argue about getting you money *back?*
6) Anything else that helps establish who you are.

Period. There is almost no legitimate reason for these things to be asked of you, unless *you* initiated the conversation, and even then, it's best to make sure you know that person first.

(And never send this stuff on email. You have any idea how durable email is? Even if you trust the person. What if some IP logs the email? What if somebody's snooping. What if that person sends thier computer in for repair, and someone copies thier email folder?)

If they ask for it, and you *think* it might be legit, tell them to give you a number where you can call them. Then, look up that number. If it doesn't jibe with what they told you -- don't give out the info. Period. Better yet, call the FTC and FBI on them.

Esp. Passwords. Folks, if I'm the sysadmin, I *don't need your password.* I've got rights to all your files. On unix systems a simple "su username" as root makes me you, without a password. No worries. So, when someone says "I need your password to fix your account", then they are, at best, incompetent, but are more likely lying. In either case, the only correct answer is no. This is about 10,000 times more important if that password lets them get at *your money*.

If I need to reset your password, I'll set it so you can't login, forcing you to contact me. But I sure don't need it to fix problems.

So. Just say "Can I call you back" to phone calls. Do not even reply to emails. And *don't* give them the above info.



Otherwise, you'll get posted on some board as the latest victim of the latest scam, and we'll all laugh at you. And nobody, but nobody, wants that.

#4 ::: Ter ::: (view all by) ::: March 17, 2003, 06:28 PM:

I'm conducting business for my mother's Trust. The first thing I learned is how easy it must be to establish a new identity, if it's this easy to contact businesses & bureacracy and issue instructions.

Social Security numbers are the key to almost every piece of new business.

#5 ::: John Farrell ::: (view all by) ::: March 17, 2003, 07:40 PM:

Good timing! I just got a paypal mail a few days ago, saying I should "update" my credit card info on their site. (Sure!) No other site had ever asked me to do that via email.

#6 ::: Alison Scott ::: (view all by) ::: March 18, 2003, 05:21 AM:

I followed a thread on a Mac board about 'why you should not buy a Powerbook on eBay'. I was super interested, because of course I have just this week bought a Powerbook on eBay. When you looked a little deeper, it was really about 'why you should not buy a Powerbook from someone who is selling them suspiciously cheaply, has very good feedback none of which relates to the sale of Powerbooks, and has a really good argument for why you should send cash to Romania before he sends you the computer.'

#7 ::: Chris Bertram ::: (view all by) ::: March 18, 2003, 01:12 PM:

I just received a similar email purporting to be from NoChex, another internet payment company.

Smaller type (our default)
Larger type
Even larger type, with serifs

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 by Patrick & Teresa Nielsen Hayden. All rights reserved.