Around 200 million people have a PayPal account. It's been one of the most popular online payment services for years, which is why it's such a popular target for phishing scams. Since they're tied to your credit card or bank account, they're particularly prized by cybercriminals.
Security experts at ESET recently discovered a new PayPal phishing scam that they say is particularly sophisticated. The emails these fraudsters are sending out are convincingly written and feature the PayPal logo and there's even a bit of fine print at the bottom for added effect.
According to the message, there's a problem with your PayPal account and you need to log in immediately to correct it. Click the "log in" button in the message, and you'll be taken to a website where you can "fix" the problem. It's not PayPal's website, of course. But if all you're looking for is the lock icon that accompanies a secure site, you'll see that -- ESET notes that that the phishing form is transmitted over an HTTPS link.
Keen-eyed users will spot the suspicious domain name right away in their browser's address bar. It's not hard to see how less savvy folks could be fooled by the form, though. The color scheme follows PayPal's, their official logo on the page, and it's "stamped" 100% secure and verified by Symantec.
How To Avoid Being Scammed
The scammers behind this PayPal phishing attack have put in a lot of effort, but they've also made plenty of mistakes. Spotting those slip-ups is the key to staying safe.
If you examine the form closely, you'll notice that the block with the certifications says "secured and certificate by." Over the phone number box, "use for fraud alert." By mother's maiden name, "for security reason." Little grammatical errors like those provide clues that this form might not have been put together by PayPal.
Let's go back to the email itself. Start by checking the sender. It's not a paypal.com address which is a giant red flag. And although the message is written very convincingly, there's still one mistake: "we've place a limitation on your account." Something as simple as a missing "d" to change a verb to past tense should be enough to put you off clicking that log in button.
PayPal takes protecting its users very seriously, and one way they do that is by making sure the emails they send out don't contain errors like that. A company spokesperson noted that PayPal also "proactively works with law enforcement agencies, industry partners and use our own systems to protect against customers against fraud."
They also know that users are the key. "We also ask that customers remain vigilant to protect themselves against criminals illegally gaining access to account credentials," they told me in an email.
Make sure you're ready, because you never know when you're going to receive a phishing email. Be skeptical. Reread messages closely to look for mistakes. Look for domain names in email addresses and links that don't make sense.
And in this particular case... Just open up a new tab, go to paypal.com and sign in to your account directly. If there's really a problem, they'll let you know about it when you log in.
By Lee Mathews for forbes.com | Photos: ESET