Dear PayPal Member1,
As part of our security measures, we regularly screen activity in the PayPal system.
We recently noticed the following issue on your account:
We would like to ensure that your account was not accessed by an
unauthorized third party. Because protecting the security of your account
is our primary concern, we have limited access to sensitive PayPal account
features. We understand that this may be an inconvenience but please
understand that this temporary limitation is for your protection.
For your protection, we have limited access to your account until
additional security measures can be completed. We apologize for any
inconvenience this may cause.
To review your account and restore your access, please visit PayPal as soon as possible:
We thank you for your prompt attention to this matter. Please understand
that this is a security measure intended to help protect you and your
account. We apologize for any inconvenience.
PayPal Account Review Department
PayPal Email ID PP522
Please do not reply to this message. Mail sent to this address cannot be
answered. For assistance, log in to your PayPal account and choose the
'Help' link in the header of any page.
1 Note: All PayPal emails will greet you by your first and last name.
This seemed pretty clear, straightforward, and professional. It sounds like something PayPal might actually send out... except it was directed at an e-mail address I haven't registered with PayPal. My PayPal account is basically expired. None of my information is current, so I figured it would be a good time for an experiment. I kicked up the firewall security and clicked.
It prompted me to "sign in." I made up a phony e-mail (firstname.lastname@example.org, if you're curious) and keysmashed a password. It let me right on through as though I had supplied it with any actual information. What? Did you really think I was going to use my personal log-in if I didn't have to?
It took me to a page which asked me to verify all my credit card information, address information, and give the last four digets of my social security number. Kind of odd for a "security check", but the big problem here is that it's not a secure site. The little lock that should be at the bottom of the browser isn't there. My mommy taught me to fear the intarwebs and the nasty hacker folk who want to run off with my identity and purchase 80 dozen banana guards. Whenever I send off personal information over the web I always check for the little lock. PayPal would have said lock, and where PayPal usually has comforting reminders of their fabulous security, there are none on this site.
This is an elaborate phishing scam, and I reported it to PayPal. They confirmed it was a scam in under 5 minutes. They're on top of their game over there.
Still, It's a heck of a forgery. It looks very similar to the real, honest-to-God PayPal, but - as always - some details give it away. The 10 second "sign-in" redirection instead of Paypal's 5. Lack of "secure sign-in" reassurance, the different lock graphics above the sign-in, the slight pixelization of the sans serif font (which I really had to stare at to find). The link you're given in the e-mail isn't where you end up. Finally, when you go straight to PayPal and sign in, they don't warn you about temporary restrictions on your account. Oh, and when you ask them about it? They say, "wuzzunt me."
Just keep an eye out. If you get a similar "security notification," don't click the link. In fact, if you ever get an e-mail about account status, you should always go right to the source directly instead of following a provided link. I just wanted to give the heads up.