Paypal Phishing Attacks

Phishing is an on-going threat to most businesses and home users. It is safe to assume that there will be a constant stream of phishing emails sent to pretty much any email address imaginable. As a result of this, it is crucially important that you educate your staff and your family about what to look out for.

For generalist phishing, where the attackers are basically sending out a huge amount of spam hoping at least one or two people will fall for it, a common approach is to claim to be an email from a bank, or increasingly Paypal. [Note: this is different from targeted phishing – spear phishing – which can employ much more sophisticated disguises].

This week, it appears that the Paypal approach is favourite and we have noticed a massive upsurge in traffic claiming to be from Paypal – using the email address: [email protected] and claiming that there are security issues with the persons account. The email goes on to say that to help protect your account you have to visit a “click here” link which – in the current examples points to a site at [currently this site appears to have been taken down and most anti-virus tools should have already flagged it as a phishing site].

Fortunately in this instance, the emails were fairly easy to spot as not being real (faked email address, link to an IP address rather than etc) but this is not always the case. Although it is rare, some phishing emails can be crafted to appear very genuine, but there are still always going to be some measures you can take to reduce your risk.

More than anything, never, ever, click on a link in an email from your bank, Paypal, Ebay or anything else. No matter how urgent the request is (and fake urgency is another warning sign), always open a new browser window and type the normal URL you use. Good email software will let you see what the “click here” link points to, but you cant always rely on spotting it – sometimes fake typo-URLs are used, such as which can be hard to notice.

Paypal have put together a useful site giving basic advice – – and it is likely that your bank offers something similar. If you ignore the specifics, this advice is good for pretty much every situation.

  1. Never trust an email address. These are very easy to fake.
  2. Be wary of generic greetings. Banks etc will address you by name. “Dear Customer” should be an immediate red flag.
  3. It should never be urgent. Spammers and hackers need you to react before security vendors identify their sites and block them, so you will frequently see spam messages telling you to do something “immediately” or “urgently.” Your bank will not use email for “urgent” issues.
  4. Beware links. “Click here” should always be avoided. Make sure you check the URL and spelling, and if it is a bank or other log-on site, then ignore the link and go directly.
  5. Attachments. Never open attachments from untrusted sources. This can be difficult, because email addresses can be faked if nothing else, but the general principle should mean you are always cautious about attachments – what ever type they are.

If you want further advice on how to protect yourself, your family and your staff from online attacks, contact us and one of our consultants will be happy to discuss the issues and what cost effective security measures you can take.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.