I thought it was just an April Fools prankster when I received an email supposedly from PayPal informing me that their system detected an unusual activity in my account. The email even warned me that because of the “unusual activity,” my account will be temporarily disabled until I re-verify my account by logging in – they provided a link within the email supposedly to make it easier for me to access PayPal’s website.

The email came in around 3AM and because I am expecting a payment from a client, I get a little startled that my account has been disabled again. Well, because a few days ago, PayPal already sent me an email informing me of an unusual activity and asked me to submit a valid ID before they can enable the account again. Wondering why PayPal disabled my account again and worrying that my account has been hacked, I went on and logged in and checked. This is when I noticed something wrong. My PayPal isn’t hacked and it isn’t disabled.

The emails I received were from two different emails. I have both of the emails listed in my PayPal account. The one I received in my SleekFast email is the legitimate correspondence and the one I received through my Hotmail is fake and obviously a phishing scheme.

I did a comparison of the emails from PayPal and the fake one and found out so many differences that can help all of us avoid being victimized. Here are some of the fake email details that you can first check to see if the email is legitimate or not:

Sender Email

I immediately noticed the sender email is not directly from PayPal and instead uses an email sending service MailChimp. I also noticed that the way the email address is constructed is obviously not trustworthy as it is trying to hide the senders identity.

Oftentimes, phishers use emails from other websites other than paypal.com and often use close to that domain name like paypay.com, paypat.com, etc.

Recipient Name

When PayPal sends me emails, I always receive a salutation using my complete name. That is the name I use in my account. The fake one, however, used my email instead. Most probably, phishers might have acquired my email address from other places and they are trying their luck to lure me into logging in to the website they have created to skim my account details.

“What to Do Next” Instruction

This looks normal except for the fact that a.) the link is using a shortener – for this particular email they used bit.ly (http://bit.ly/2ojXJ7h), b.) both the “Here” and the “Check My Account” button has this hyperlink. To know if the hyperlink is legit, hover your mouse over the hypertext link and you can see the URL at the bottom left of your browser. I encourage you not to click the link as most phishing sites use malware to get your information. But for this particular email, the link is clean and lead me to a phishing page.

The bit.ly URL no longer works. Most probably, they have disabled this bit.ly already to avoid detection.

Help” & “Security Centre” Links

Phishers will really try hard to get you to the page where you will be lured into logging in using your account credentials. So, at the last part of the email message, they ask me to click “Help” which in this case leads me to the same page as the one I mentioned above. Even the “Security Centre” link has the same link.

The Phishing Page

The Phishing page looks exactly the same as the login page of PayPal except that a.) the URL is too long or is different from the one PayPal uses, b.) the page normally is not on secure website.

Below is what the legitimate PayPal URL looks like:

Notice that there is a green part within the address bar. This means that the website is secure.

Side by Side Comparison

 

Remember that in the legitimate PayPal email, it does not have a link but asks you to go to PayPal and login from there. It does not show you the details of reactivation of the account instead the instructions will be shown once you have logged in. Further, PayPal will ask you to change your password during this process.

What to Do When You Receive this kind of Email

Do Not Panic – Stay calm. In my case, I get startled for a few minutes because the timing of the email was just too confusing for me and that I am expecting a payment and I can’t have my account disabled for the next few days. But regardless, do not rush into clicking anything within the email.

Investigate – I have developed a habit of investigating an email first before I do any action. I check the sender, I check if the email is correctly addressed to me, did I opt in for the email, are there grammar and spelling errors, etc. I am always wary of clicking the links; instead of clicking from my active PC, I used a secondary PC (which often is an old unit and not the one I use for logging in to my accounts) and copy the URL and investigate further from there.

Change Password – Consider that any attempt to capture your credentials is already a compromise and an active breach. The best way to mitigate this is by changing your password as soon as possible.

Be Vigilant & Monitor – When I receive preliminary attacks such as this one, it immediately activates me making me always monitoring my accounts at least twice everyday for any suspicious and unauthorized changes.

Report Phishing – For this particular instance, I emailed PayPal for verification. I also emailed bit.ly and MailChimp to report this illegal acts. Also, take time to warn your friends. You may want to share this post too.