Phishing Alert: How to Determine If PayPal’s “Unusual Activity” Email is Legitimate

Phishing Alert: How to Determine If PayPal’s “Unusual Activity” Email is Legitimate

I thought it was just an April Fools prankster when I received an email supposedly from PayPal informing me that their system detected an unusual activity in my account. The email even warned me that because of the “unusual activity,” my account will be temporarily disabled until I re-verify my account by logging in – they provided a link within the email supposedly to make it easier for me to access PayPal’s website.

The email came in around 3AM and because I am expecting a payment from a client, I get a little startled that my account has been disabled again. Well, because a few days ago, PayPal already sent me an email informing me of an unusual activity and asked me to submit a valid ID before they can enable the account again. Wondering why PayPal disabled my account again and worrying that my account has been hacked, I went on and logged in and checked. This is when I noticed something wrong. My PayPal isn’t hacked and it isn’t disabled.

The emails I received were from two different emails. I have both of the emails listed in my PayPal account. The one I received in my SleekFast email is the legitimate correspondence and the one I received through my Hotmail is fake and obviously a phishing scheme.

I did a comparison of the emails from PayPal and the fake one and found out so many differences that can help all of us avoid being victimized. Here are some of the fake email details that you can first check to see if the email is legitimate or not:

Sender Email

I immediately noticed the sender email is not directly from PayPal and instead uses an email sending service MailChimp. I also noticed that the way the email address is constructed is obviously not trustworthy as it is trying to hide the senders identity.

Oftentimes, phishers use emails from other websites other than and often use close to that domain name like,, etc.

Recipient Name

When PayPal sends me emails, I always receive a salutation using my complete name. That is the name I use in my account. The fake one, however, used my email instead. Most probably, phishers might have acquired my email address from other places and they are trying their luck to lure me into logging in to the website they have created to skim my account details.

“What to Do Next” Instruction

This looks normal except for the fact that a.) the link is using a shortener – for this particular email they used (, b.) both the “Here” and the “Check My Account” button has this hyperlink. To know if the hyperlink is legit, hover your mouse over the hypertext link and you can see the URL at the bottom left of your browser. I encourage you not to click the link as most phishing sites use malware to get your information. But for this particular email, the link is clean and lead me to a phishing page.

The URL no longer works. Most probably, they have disabled this already to avoid detection.

Help” & “Security Centre” Links

Phishers will really try hard to get you to the page where you will be lured into logging in using your account credentials. So, at the last part of the email message, they ask me to click “Help” which in this case leads me to the same page as the one I mentioned above. Even the “Security Centre” link has the same link.

The Phishing Page

The Phishing page looks exactly the same as the login page of PayPal except that a.) the URL is too long or is different from the one PayPal uses, b.) the page normally is not on secure website.

Below is what the legitimate PayPal URL looks like:

Notice that there is a green part within the address bar. This means that the website is secure.

Side by Side Comparison


Remember that in the legitimate PayPal email, it does not have a link but asks you to go to PayPal and login from there. It does not show you the details of reactivation of the account instead the instructions will be shown once you have logged in. Further, PayPal will ask you to change your password during this process.

What to Do When You Receive this kind of Email

Do Not Panic – Stay calm. In my case, I get startled for a few minutes because the timing of the email was just too confusing for me and that I am expecting a payment and I can’t have my account disabled for the next few days. But regardless, do not rush into clicking anything within the email.

Investigate – I have developed a habit of investigating an email first before I do any action. I check the sender, I check if the email is correctly addressed to me, did I opt in for the email, are there grammar and spelling errors, etc. I am always wary of clicking the links; instead of clicking from my active PC, I used a secondary PC (which often is an old unit and not the one I use for logging in to my accounts) and copy the URL and investigate further from there.

Change Password – Consider that any attempt to capture your credentials is already a compromise and an active breach. The best way to mitigate this is by changing your password as soon as possible.

Be Vigilant & Monitor – When I receive preliminary attacks such as this one, it immediately activates me making me always monitoring my accounts at least twice everyday for any suspicious and unauthorized changes.

Report Phishing – For this particular instance, I emailed PayPal for verification. I also emailed and MailChimp to report this illegal acts. Also, take time to warn your friends. You may want to share this post too.

Timeline on Facebook Pages, Now What?

This is just a short blog entry by the way, a warning to those who got used to my previous posts that were too bit lengthy.

Last year, we have witnessed how Facebook shifted to Timeline. We have heard and read several opinions about the change; some are bad and some are good. (more…)

My Take on Panda/Farmer Algorithm

Last February 24, 2011, Google implemented a new algorithm called Panda Algorithm. The implementation has been widely tagged by many SEO practitioners as the “Farmer Update.” For the past weeks, we have been experiencing rather unstable movements on our rankings in Google. During the first weeks of February, I have attributed the changes to the issues concerning JC Penney; the issue that I believed forced Google to immediately tweak their algorithm. (more…)

Survey: 71% of Tweets Go Unnoticed

Since the introduction of Twitter as a microblogging website, many people embraced its communication capability that even many politicians, celebrities and head of states willfully signed up. This year, the website has even been joked by Pres. Obama as a replacement to the Red Phone that once connects Washington and Moscow during the Cold War. (more…)

IP Address Depletion: A Global Issue

In the 1990’s, the world was shocked by the report about the depleting ozone layer in our polar caps. Many panicked and today, we managed to slow the destruction by elimination certain chemicals we use like cfc’s or chlorofluorocarbons. Before the new millennium hit the clock, the world anticipated a total wreckage of all systems involving analog devices and that computers had been prepared to record the numbers or units will be displaying wrong digits; (more…)

Inaugural Post

Presidents upon assuming their posts are inaugurated by the people. Businesses upon their openings are inaugurated for the consumers. I see this opportunity too as an inauguration to another year of bountiful making business after some time of hiatus. And it seems that first years are adjustment period when couples try to understand and define their perspective in accordance with each other, this too have become true with SleekFast. (more…)