Cheeky PayPal phishing email

Cheeky PayPal phishing email

PayPal is one of the biggest targets of spam emails so far this year. Today we’ve stopped still more PayPal spam emails, once again attempting to steal user credentials. The phishing email campaign currently underway tells the user that their PayPal account is limited, until they update their PayPal account details. It does contain a somewhat cheeky assertion within the email that PayPal always use the salutation “Dear Customer” in their emails.

Figure A is a screenshot of one of the spam emails. The subject line of the email is “Your Account Has Been Limited. Please Update Your Account Information.” The sender is listed as “PayPal”. There are six links contained in the email. One of the links is to a button with the words “Update Account”.

MailShark Cheeky PayPal phishing email
Figure A – Click to Enlarge

The reason given for the email is that PayPal have detected “unusual charges” to a credit card attached to the PayPal account. It begins with “Dear Customer” and goes on to explain that the recipient needs to update their PayPal account information. Doing so will remove a limit placed on the user’s PayPal account.

An eye catching heading “Your Account Has Been Limited” is large blue font dominates the email. This is designed to capture the attention of the recipient. Further down, the email contains links for Help, Contact details and Security. The email also explains to the recipient (who may be doubting the email is from PayPal) that “emails from PayPal will always address you ‘Dear Customer’”. A cheeky assertion, and an attempt to fool users. The bottom line of the email contains the standard copyright notice and the address of the Singapore office of PayPal.

Regardless of what this email says, PayPal have stated on their site that “PayPal emails will always use your first and last name, or your business’s name.”  In other words, emails from PayPal are personalised. Checking the links reveals that most of them do lead back to a genuine PayPal site, except for one; the link in the button. This is one link that is probably most likely to be clicked, and it leads to a phishing site that looks similar to the real PayPal site. The criminals crafting the email have taken a punt that most recipients would click on the button, and not bother with the other links. The email has a number of grammatical errors, which would tend to give it away as a phishing email to most people.

Delete this email if you receive it.

Scott Reeves
MailShark
Free anti-spam service
Free email filter service

Share This Post

2 Comments - Write a Comment

  1. I got this message on my inbox, so it is very well crafted to trick also the spam filters from mail server.
    But I notice that the company name isn’t correct spelt, it is PayPaI… can you see the difference?
    Try to change the font from sans-serif to serif one and look again… the small capital letter (L), was replaced with big capital letter (i), which in many fonts looks same!
    I expect to see this trick used in many other phishing attacks from now on, as the sans-serif fonts are much more popular around the web.

    Reply

Post Comment