Weird Paypal E-mail Confirmation: Beware, It’s A Scam!
Ever gotten a weird PayPal e-mail confirmation for something that you definitely didn’t buy? “You submitted an order amounting to $39.97,” it might say. Below you might see a very legitimate-looking receipt, complete with all of the PayPal logos. There’s no pidgin English, no requests for your password, none of the usual signs of a scam. It innocuously lists the merchant, the amount that will be taken out of your account, and a button to view, cancel, or review your transaction. Even the font looks like a normal PayPal confirmation.
“Am I going crazy?” you say to yourself. “I don’t remember ordering this at all. I wonder if my account might have been hacked.”
You mumble to yourself about those darn Internet scam artists and click on the link in the e-mail, ready to sign into your account and cancel the transaction before it goes through. Little do you know that you’ve already been scammed!
A World of Phishermen
The e-mail described above is designed to “phish” personal information from you. It lures you in with a legitimate looking confirmation for a transaction that you didn’t make, then it offers a link to a site that looks like PayPal so that you will sign in. Behinds the scenes, however, the site that you’re being directed to isn’t PayPal at all; it is a fake website designed to allow the scammers to capture your password.
After that, they can take over your account, use your funds, and steal all kinds of personal information. If you ever receive an e-mail like this, delete it immediately or report it to PayPal! Do not click on any links and don’t allow the e-mail to redirect you to any sites. If you need to look over your latest transactions, go to your browser bar and manually head over to PayPal.com yourself.
If you don’t see any transactions like the kind described in the e-mail when you sign into the legitimate site, then you will know beyond a doubt that the e-mail you have received is a scam.
Too Smart for Scams
The reason why this scam is so effective is because it’s so casual. It doesn’t outright ask for your password, but rather relies on that natural human tendency to worry about false credit card charges (“Have I been hacked? Did my kid get into my account again and buy the whole store?”) and the tendency for people to be lazy and just click on the links offered in support e-mails themselves. It’s just not a very obvious, in-your-face scam and this is why it’s so powerful, especially if it’s something that you don’t expect.
Some of the most vulnerable people are those who think that they might be too smart for scams, or that they can tell if something is fake right away because of “obvious signs.” This one is not very obvious at all.
Signs You Are Being Phished
1) The sender’s e-mail address was not from PayPal.
People normally don’t check the sender’s address, but this can often be a dead giveaway. In this case, the scammer was pretty sneaky because he or she actually used what appeared to be a .gov.uk domain, which many people trust. The truth is that it may be possible for a scammer to be able to register an e-mail address like this, through various methods, so it’s best not to give the top-level domain of an e-mail address too much weight.
Just keep to this simple rule: If it is a confirmation e-mail allegedly from your PayPal account, and the e-mail address is not from PayPal.com, then be suspicious. The simple solution is to just go to PayPal.com on your own and sign into your account.
2) The e-mail doesn’t state your name.
One of the ways that PayPal and other companies signal to you that your e-mail is legitimate is to include your name in their correspondence. After all, if they were just a random criminal spamming thousands of accounts, they would be less likely to know your legal name. If they just say “Dear Customer” or nothing at all, be suspicious.
Note, however, that it is not impossible for a scammer to know your name, so don’t take the presence of your legal name as irrevocable proof that it’s not a scam. In fact, barring time constraints, it’s trivial to find out what most people’s full names are and where they live. For phishing scammers who work with high volumes of e-mails, though, this collectively represents a lot of work, so usually, you will just get a generic e-mail.
3) There is no delivery address.
In my version of the “confirmation e-mail,” there was no delivery address. It simply said “Home address – Confirmed.” This can be easily missed upon casual inspection, but if you notice this and think about it, it makes no sense. What’s the point of a confirmation e-mail if the company is not going to provide very basic details like the address that the parcel will be delivered to? It is not normally considered a security concern to send this information via e-mail, so there’s no reason to omit it.
As you can see, this is very fishy and you should immediately distrust a shipping confirmation with no shipping information! As with point #2, though, if your address does happen to be present, this doesn’t mean the e-mail is necessarily legitimate, either. It could just mean that you were subjected to a more targeted phishing attempt.
4) Tiny, Quibbling Details
Even if the grammar, spelling, and punctuation in the e-mail is okay for the most part, occasionally there will be small mistakes that a large company probably wouldn’t make. For instance, in the e-mail I received, the button with the malicious link said “view, cancel or review your transaction.” In American English (PayPal is an American company), typically one would put a comma after “cancel” as well, but this is missing from the e-mail. Little things like that will tip you off, but you probably have to be a grammar fiend to notice them.
If you have any doubts at all—at all—then go to PayPal’s website and contact PayPal directly. If someone really did buy something using your account without your knowledge, then PayPal would be able to cancel the transaction. On the other hand, if it turns out that the confirmation was indeed fake, then you will save yourself from getting scammed for your personal information.