How To Know An Email Is A Scam Without Opening
I just found this “Your PayPal account has been limited Case ID 114-470-894” scam in my inbox this morning. The Case ID may very well change. This is NOT a new PayPal scam, but I have not seen it in quite some time.
It’s a fairly well done email phishing scam, too, it lacked the usual GLARING typos and bad English.
Yes, emails like this make one’s heart skip a beat, thinking immediately “was I dumb enough to leave any real money in my PayPal account?”, just in case it is a legitimate email.
Find out here how to know if it’s a scam without opening the email, you never know what lurks just from opening.
Since I have to check these things out to warn you guys, though, I did open it.
How To Tell An Email Is A Scam
Step #1: Who REALLY Sent It?
I use Gmail for a number of reasons when it comes to my online marketing and to be able to give out to others, but my IMPORTANT mail comes through my own domain, to my own MS Exchange Server and I organize it with Outloook. Yes, I use Thunderbird too, for other email, and curse it when it crashes, the unified inbox doesn’t work, etc.
Here is the screen shot from Outlook where I right click the email in question and select “Message Options”s:
Now, please raise your hand if you think PayPal sends there account warning emails out through “nationwidemedical.com” email servers? Without checking, I’m guessing that nationwide medical may be legit and that someone has hacked their email servers for relay purposes.
Next, look at the “From:” address. CAREFULLY!
Yeah, paypall – with 2 ‘L’s on the end. The REAL PayPal doesn’t do THAT either.
CASE SOLVED: It’s a scam, no need to look any further, SHIFT-DEL and bypass the recycle bin.
Step #2: Optional, Do At Your Own RISK! Where Do The Links Go?
Kudos to these scammers, they are so much better than they used to be.
With Outlook you can just hover your mouse over the link where it says “log in to PayPal”. See the screen shot below:
At first glance it seems OK, right? http://www.paypal.com
There are 2 problems with that:
- PayPal would use the more secure https protocol, not just http
- Notice the period at the end, after the “.com”
This link continues with a “subdomain” of gibberish which may have a specific purpose, or it could be just to add “noise” to keep you from following the trail to the REAL DOMAIN they are sending you to.
On the 3rd line of the blueish “Click to follow link” box is the REAL DOMAIN you are going to. Are you ready?
It’s: a31b6sf828j80ctuxy48wx4.com
But they aren’t done yet, all the rest of that is a script it will run and what I have blacked out is my email address that they are passing to their server. It’s hard telling how much of that they use and how much may be there to fool you (like “login-processing=ok”).
The Goal Of This PayPal Email Phishing Scam
Their goal is, of course, to get you to use your REAL PayPal login credentials on their phony PayPal login screen so they can capture that information, go to the real PayPal.com and clean out your account, possibly including any bank accounts attached to that PayPal account.
How To NOT Get Scammed With PayPal Phishing
Whenever I have need to login to my PayPal account – even when checking out after buying a product using PayPal, is to directly put https://PayPal.com in a new browser window.
The way I make sure I do it is that I have my PayPal passwords in Counterpane’s Password Safe (free, also have mobile app); and I have the PayPal address, WITH the https, in the URL field and I click the “go” button in Password Safe after copying my password.
Note that this way not even a keylogger would get my PayPal password because it’s copied & pasted.
You remember the T.V. show, don’t you: “Let’s be careful out there“
Video Showing How To Spot A Fake Email, Phishing Scam
I appreciate feedback through comments!
Nathaniell says
This is scary stuff. I had a hotmail account hacked this way (several years ago) and my dad recently got a computer virus from an email that said he got a FedEx package at the post office and needed to go pick it up. Scammers really have no limits.
Fred G. Sanford says
Thank you very much! I, too, received this email today (9-9-2013), with TWO variants…..service(at)paypay(dot)com versus yours, of paypall(dot)com. Everything else was the same, with the exception of a different scammer website http://www.paypal.com. address/domain associated with the embedded links in the scammers email (See below):
http://www.paypal.com 23amo1w0rjcrwu7n1.a25rq493kqhbajk. com/cgi-bin/webscr/?login-dispatch&login_email= – email address redacted – &ref=vesta-check&login-processing=ok
Mine of 23amo1w0rjcrwu7n1.forcelinktobreak.a25rq493kqhbajk com versus yours of a31b6sf828j80ctuxy48wx4.forcelinkbreak com
Appreciate the posting, which I came across when researching my paypal scam fishing email, as I was a bit confused by the paypay(dot)com (which I read initially as paypal – they know we do that…..in a sense, “autocorrect” misspellings! Seems like they employ psychologists on their staff….) and by the fact that none of the IP addresses in the long headers came back out of the US.
Again, THANKS FOR POSTING THIS WARNING!!
I