Before yesterday, I had never been phished. Now that I have, I understand why people like my Mom are leery of ordering stuff off the Internet.
It starts with an email. Lord knows how these cretins knew I had just used PayPal to order something off eBay (they better not be in cahoots with the seller or heads will roll). But the email, shown as being sent from update@paypal.com, is very official-looking, with the PayPal logo and type styling. (In retrospect, however, I notice that the wording is a bit Engrish, namely “Please update your records in maximum 24 hours” and not one but two sentences beginning with “Failure to update...”)
Gosh, I better update my billing records quickly. If I don’t, I might not get that CD I just ordered, featuring two of my favorite one-hit-wonder songs from the ’80s: “Major Tom (Coming Home)” by Peter Schilling and “The Promise” by When In Rome. You can understand my concern, I’m sure.
Clicking on “Please click here to update your billing records” links me to an official-looking PayPal page where I’m not asked to log into my PayPal account in order to correct my supposedly faulty billing information, but I am asked to key-in every last shred of my personal details, including the aforementioned Mom’s maiden name, as well as my credit card info.
But what’s this? That web address doesn’t have the word PayPal in it anywhere: “http://80.53.195.18/icons/pp/update.htm?...” Let’s try going to the site from which the page is originating, the obfuscated http://80.53.195.18.
Jiminy Crickets! Why, that’s not PayPal at all, but a site belonging to some Polish hackers. I’d insert some joke here about Polish hackers if their ruse hadn’t been done well enough to likely trick an unassuming novice computer user.
May 4, 2005 Update: Today’s Onion has a story about President Bush’s identity being stolen “when he responded to an e-mail from paypal783@hotmail.com asking him to comply with PayPal security measures by entering all 12 of his credit-card numbers, his Social Security number, his passwords, and his personal identification numbers.”
May 12, 2005 Update: According to an Associated Press story today, “Next week Denver-based First Data Corp., one of the country’s largest electronic financial transaction companies, plans to release survey results showing 43 percent of adults have received a phishing contact. Five percent of those adults gave up personal information.”