New scams to harvest PayPal account numbers and passwords are growing more sophisticated with
a recent flurry of bogus e-mails that urge customers of the online payment service to submit financial account numbers as part of a “security measure.”
The text of some of the latest e-mails, which pretend to be from PayPal, include the following pitch:
“We require all flagged accounts to verify their information on file with us. To verify your information, click here and enter the details requested.”
The e-mail also includes fields for credit card account numbers, bank account numbers and the account-holders’ PIN numbers at ATMs. “After you verify your information, your account shall be returned to good standing,” the scam e-mail continued, “and you will continue to have full use of your account. Thank you for using PayPal!”
The e-mails also include a link to a fake Web site where the customer is asked for personal account information.
The ruse is similar to a PayPal scam that surfaced
last fall, and continues to be a recurring favorite with online con artists. But recent attempts to hijack the PayPal name for fraudulent purposes are growing more sophisticated in how they look to the receiving party.
“We first identified these fake emails as a significant problem early last year,” said Kevin Pursglove, an eBay spokesman. “Back then many of them didn’t look so good — with bad grammar, and then, when you clicked through to the (fake) Web site, the colors were off.”
But the senders have certainly learned how to use a spell checker, he continued. “They are also better at hiding their tracks. A perpetrator can be three levels removed from the origin site of the e-mail” through the use of e-mail relays. “It is harder to find them.”
PayPal fights back on three fronts, he said. “We work with law enforcement agencies and regulatory bodies like the FTC, we educate
consumers, and we identify technology solutions.”
On the education front, Paypal and eBay routinely send email notices to their customers warning them to carefully check URLs and screen logos on Web sites before entering any sensitive information, Pursglove said. They also remind customers that PayPal never sends e-mails asking them to e-mail back sensitive information — and to check the headers on suspicious e-mails to see if they are actually from eBay’s servers.
But Avivah Litan, finance and technology analyst with research firm Gartner said the eBays and the PayPals of the world need to do more. “I think asking customers to check URLs for minute differences is a lot to ask,” said Litan. “Unless they take other steps this will damage their business.”
She said a greater investment in anti-fraud technology would help too. “eBay, for example, needs to make it possible for sellers to offer strong authentication. There is technology, such as PKI (Public Key Infrastructure) available to do this,” she said.
Pursglove said eBay and a number of other bodies, companies,
universities, and government agencies, are aggressively pursuing technology fixes for fraud. “We don’t disclose these, but I am confident you will see some technical solutions shortly,” he said.
In the meantime, he stressed continued awareness. “Bottom line is, the consumer needs to step forward and get educated.”
eBay also recently hired former U.S. cybersecurity czar Howard Schmidt as its vice president for security, in a move that signals the auction giant’s interest in clamping down on online fraud.
“This seems like the right time to expand security, especially with a high profile person such as Schmidt,” eBay spokesman Chris Donlay said in early May.
As internetnews.com recently reported, the Internet Fraud Complaint Center (IFCC), a site run by the Federal Bureau of Investigation and the National White Collar Crime Center, reported that it referred 48,252 fraud complaints to federal, state and/or local law enforcement authorities in 2002 alone. The year before there were 16,775 referrals.
In addition, the Federal Trade Commission has also been stepping up its crackdown on online fraud in the last several months. The FTC has said that as many as 57 cases involving criminal or civil violations are pending with at least 37 individuals charged and under prosecution for alleged crimes.