Now that you have a PayPal account, you should be wary of emails you receive supposedly from PayPal. Although the email might have a header and logo similar to that of PayPal, most of these are actually phishing mails intent on stealing your personal information.
More information about phishing, how to check if an email is fake, and ways to protect yourself from phishing can be found in the What is Phishing? article. A sample phishing website is explained in the “Beware of the fake egold website!” article.
Yesterday we received an email purportedly from PayPal asking us to login to the site to update our personal records. Failure to do so, the email says, will result in account suspension. Here’s a screenshot of the email.
At first glance, it looks like an authentic PayPal email. A closer analysis of the entire content, however, will lead you to believe this is a fake email. Let’s go through the contents in detail.
The Email Header
If you didn’t pay much attention to the header, you would think the email was indeed from PayPal. In the first place, the sender of the mail was “service@paypal.com” — supposedly an official PayPal address.
Date: 30 Oct 2006 16:09:34 -0000
Subject: Warning Notification !
From: service@paypal.com
Advances in technology, however, have given mail senders the ability to change the header of an email. Although the mail was sent by “service@paypal.com,” the actual sender was different. To see who sent the mail and from where it was sent, check the email’s full headers. Our email in question has these full headers:
X-Apparently-To: xxxxx@yahoo.com via 66.218.93.230; Mon, 30 Oct 2006 10:38:46 -0800
X-Originating-IP: [69.26.175.108]
Return-Path: <anonymous@vhost.onestop.net>
Authentication-Results: mta241.mail.mud.yahoo.com from=paypal.com; domainkeys=neutral (no sig)
Received: from 69.26.175.108 (HELO vhost.onestop.net) (69.26.175.108) by mta241.mail.mud.yahoo.com with SMTP; Mon, 30 Oct 2006 10:38:46 -0800
Received: (qmail 64089 invoked by uid 65534); 30 Oct 2006 16:09:34 -0000
Date: 30 Oct 2006 16:09:34 -0000
Message-ID: <20061030160934.64088.qmail@vhost.onestop.net>
To: xxxxx@yahoo.com
Subject: Warning Notification !
From:service@paypal.com
Reply-to:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Content-Length: 1827
Note the message ID, domain keys, sender’s IP and mail server and compare these with the headers of an authentic PayPal email:
X-Gmail-Received: e3648473ad76129564fb58bfcdf8607df9661f7c
Delivered-To: xxxxx@gmail.com
Received: by 10.82.162.9 with SMTP id k9cs34780bue;
Tue, 31 Oct 2006 09:59:51 -0800 (PST)
Received: by 10.78.128.11 with SMTP id a11mr7196313hud;
Tue, 31 Oct 2006 09:59:51 -0800 (PST)
Return-Path: <payment@paypal.com>
Received: from mx1.phx.paypal.com (mx1.phx.paypal.com [66.211.168.231])
by mx.google.com with ESMTP id 30si7241523hub.2006.10.31.09.59.49;
Tue, 31 Oct 2006 09:59:51 -0800 (PST)
Received-SPF: pass (google.com: domain of payment@paypal.com designates 66.211.168.231 as permitted sender)
DomainKey-Status: good (test mode)
Received: from phx22web06.phx.paypal.com ([10.190.3.65])
by mx1.phx.paypal.com (8.13.7/8.13.7) with SMTP id k9VHxmQQ009397
for <futuregizmo@gmail.com>; Tue, 31 Oct 2006 09:59:48 -0800
X-DomainKeys: Sendmail DomainKeys Filter v0.4.1 mx1.phx.paypal.com k9VHxmQQ009397
DomainKey-Signature: a=rsa-sha1; s=dkim; d=paypal.com; c=simple; q=dns;
b=djHkqQ3G0SBcInbasEfcnysOosmZs2BFgprBglyhUY06Xxi92G9tBrAWXT61fQK97
BqzuD678UhG3jSt1KcaVbNqvVTxUC37FAF7p/lxUeq3ceXCGS/uh8nNSIuHjlPJbt9Q
lGdb++neV/DZ5Uf2wne+WgIXyuQsARLvXpJ9Xlk=
X-DKIM: Sendmail DKIM Filter v0.5.1 mx1.phx.paypal.com k9VHxmQQ009397
DKIM-Signature: a=rsa-sha1; c=simple/simple; d=paypal.com; s=dkim;
t=1162317588; bh=itgF7PyvQkUyZa4tpiPKD1MSl1E=; h=Received:Date:
Message-Id:Subject:X-MaxCode-Template:To:From:X-Email-Type-Id:
X-XPT-XSL-Name:Content-Transfer-Encoding:Content-Type:MIME-Version:
Sender; b=MMkZrnvaGEjSDxMgDfqirGRzsMaBBCi1dB4DEtzkA/wec6hnewcyHjZ5F
nAKBdaftKXA9/dFtQGKAeSyAKwVSeTtydSTPOCcEMiIvdsCpkBt5voENlNz+De2j57H
IPHhrnQcP1Mch4zYzo2pmmjLTOEfgPAclmLvkNxWSKk1SIk=
Received: (qmail 9317 invoked by uid 99); 31 Oct 2006 17:59:48 -0000
Date: Tue, 31 Oct 2006 09:59:48 -0800
Message-Id: <1162317588.9317@paypal.com>
Subject: Receipt for your Money Request
X-MaxCode-Template: email-receipt-individual-money-request
To: <xxxxx@gmail.com>
From: “service@intl.paypal.com” <service@intl.paypal.com>
X-Email-Type-Id: PP117
X-XPT-XSL-Name: /default/en_US/request/ReceiptIndividualMoneyRequest.xsl
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=windows-1252
MIME-Version: 1.0
Sender: <sendmail@paypal.com>
The email in question was sent through IP address 69.26.175.108 while the original PayPal email was sent from the IP address 66.211.168.231. Looking up the WHOIS record of the first IP address, we get the following, a confirmation that the mail did not originate from any of PayPal’s servers.
Net Sentry Corp NETSENTRY (NET-69-26-160-0-1)
69.26.160.0 – 69.26.191.255
xeex NETSENTRY-XEEX-01 (NET-69-26-172-0-1)
69.26.172.0 – 69.26.175.255
Your OneStop Network, Inc. YOUR-ONESTOP-NETWORK (NET-69-26-175-0-1)
69.26.175.0 – 69.26.175.255
The second IP address has the following WHOIS record, and shows that the mail was in fact from a server of eBay, mother company of PayPal.
OrgName: eBay, Inc
OrgID: EBAY
Address: 2145 Hamilton Ave
City: San Jose
StateProv: CA
PostalCode: 95008
Country: USNetRange: 66.211.160.0 – 66.211.191.255
CIDR: 66.211.160.0/19
NetName: EBAY-2
NetHandle: NET-66-211-160-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Assignment
NameServer: SJC-DNS1.EBAYDNS.COM
NameServer: SJC-DNS2.EBAYDNS.COM
NameServer: SMF-DNS1.EBAYDNS.COM
NameServer: SMF-DNS2.EBAYDNS.COM
Comment:
RegDate: 2006-01-25
Updated: 2006-01-25
The Logo
Don’t be fooled by the logo used in the email. It was simply grabbed from PayPal’s site (URL: and intentionally used to deceive recipients that the email was an official PayPal correspondence.
The Welcome Greeting
All PayPal emails start with a personalized greeting that mentions your PayPal’s account name. The email in question used the generic “Dear sir” greeting, a sign that this email was sent in bulk.
The Login Link
The final giveaway that the email is in fact a fake PayPal email is the login link to your account. If you hover (rest) your cursor over the “Click here to update your PayPal account information” link, you will notice in the lower-left portion of the browser that the link redirects to — a link unrelated to PayPal. Visiting the site will lead you to an exact replica of the PayPal login page, but this is actually a phishing site.
THE SPOOF PAYPAL EMAIL
Warning Notification
Dear sir,
It has come to our attention that your PayPal® account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.
However, failure to update your records will result in account suspension. Please update your records before November 06, 2006.
Once you have updated your account records, your PayPal® account activity will not be interrupted and will continue as normal.
Click here to update your PayPal account information
Actual Link (DO NOT VISIT):
What you should do
We advise you not to visit that link and not to input any information in the login fields in the site. Forward the fake email to spoof@paypal.com to notify PayPal about these new PayPal phishing emails and sites. If you are using Gmail, you can report the mail as a phishing email by clicking More Options > Report Phishing.
You should never fully trust any email you receive supposedly from PayPal. Use the guide above to check whether the mail is indeed authentic or merely a fake, phishing email.
Is this PayPal logon page a fake ????
http://login3. paypalglobaldatabase. com/cgi-bin/webscr.php?cmd=_login-run
The link was sent in e-mail
This page:
http://paypalglobaldatabase. com/
Shows:
paypalglobaldatabase. com
This page is parked free, courtesy of GoDaddy.com
how to know the IP address? which part that must i click on?
I also get order from Anna Travis. I am curious since she used different facebook nickname. last time, i ignored her. Now, she inbox me again with different name. But I still remember the email. She asked me to send the request money from paypal to annatravis@hotmail.com. Then i search information about her.
Thank you so much for the nice and beneficial article.
Warm greeting 🙂
Linot Queenza – Indonesia
It’s fake. The official PayPal site is http://www.paypal.com. Any other PayPal site that uses a different URL is certainly fake.
Yeah it’s fake. Never go on any other paypal sites than http://www.paypal.com
Is this email I received real or a fake?
Hello Candace Sparg,
You have an instant payment of $610.00 USD from Sharon Rodney (sharonrodney32@yahoo.com)
Thanks for using PayPal. To see all the transaction details, log in to your PayPal account.
It may take a few hours for this transaction to appear in your account.
——————————————————————————–
Seller Candace Sparg
Candace.sparg@acerafrica.co.za
Note to seller
You have to provide to us the shipment tracking number so that your funds can reflect in your account as soon as possible.
Shipping address – confirmed
Adekunle Oluwaseun
28 Olayinka street, Ijeshatedo
Surulere
Lagos,23401
Nigeria.
Shipping details
POST OFFICE
Description Unit price Qty Amount
“Nokia 5230”
Item #
$610.00 USD
1 $610.00 USD
Shipping and handling
$0.00 USD
Insurance – required
$0.00 USD
Total
$610.00 USD
Payment
$610.00 USD
Payment sent to: Candace Sparg
Candace.sparg@acerafrica.co.za
Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Security Center
IMPORTANT NOTE: This PayPal® payment has been deducted from the buyer’s account and has been “APPROVED” but will not be credited to your account until the shipment reference/tracking number is sent to us for verification so as to secure both the buyer and the seller.Below are the necessary information requested before your account will be credited.Send tracking number to us or email us through this mail tracking_manager@accountant.com and our Customer security service center will attend to you. As soon as you send us the shipment’s tracking number to us for security purposes and the safety of the buyer and the seller,the money will be credited to your account.
**PLEASE NOTE**
Once item has been shipped and the tracking number sent to us,
You will receive a “CONFIRMATION EMAIL” from PayPal® Team informing you that the Fund has been credited.
Questions? mail our agent incharge of your transaction at tracking_manager@accountant.com or reply this mail for assistance.
To receive email notifications in plain text instead of HTML, log in to your PayPal account, go to your Profile, and click Notifications.
Copyright © 1999-2009 PayPal. All rights reserved.
PayPal Email ID PP1525.
I just received the exact same email and the person I have been dealing with on Facebook by the name of Anna Travis. I have a bad feeling about this when she sent me payment of US$1,335 with this same email instructions from Paypal asking me to provide the shipping tracking no. And it’s for the same address in Nigeria and email that you have.
I was scammed by Anna Travis on facebook as well, with an address in Dundee, Scotland. She will pay u any amount, and u wonder why she’d be willing to pay that much. She has my camera and she did not pay a dime for it. I lost out on money for shipping and a good camera.
1) She created fake paypal emails
2) She used a onlinedeliverytrack@accountant.com email
and after i confronted her about it. she said sorry. *awkward*
So selling on facebook is not a good idea. and even when u deal with paypal. just make sure u get the money first. paypal wont withold any money or ask u for all kinds of details.
be careful everyone! there are a lot of evil / greedy ppl in this world!
Excellent Article! I personally really like your post. This is a great website. I will make sure that I’d stop by again!
Collection of some of your personal information is essential for completion of some of the functions and activities of this Website. We will? if it is reasonable or practicable to do so? also collect your personal information directly from you. For instance? the collection of your personal information may happen when you????.
Thanks for finally talking about >Fake PayPal email — PinoyMoneyTalk.com <Liked it!
Thanks for ones marvelous posting! I genuinely enjoyed reading it, you
can be a great author.I will always bookmark your blog and may come back sometime soon. I want to
encourage one to continue your great job, have a nice afternoon!
my business partner was searching for a form earlier today and was informed of a company with a searchable database . If others need it too , here’s a http://goo.gl/lbJ7bb
Get Legit Hacked Western Union Transfers, Bank Transfers/Logins, MoneyGram Transfer, Hacked PayPal Transfers/Accounts, Credit Card TopUp….
**** WE DO NOT SELL ANY FAKE WU BUG SOFTWARE, NO DUMB PAYPAL MONEY ADDERS, NO PAID TO CLICK, FOREX, HYIP.
**** Live screen offer or video evidence of Accounts or Transfers before Payment is made!
**** We bargain STRICTLY on Transfers and Logins.
all exchanges are Legit and sponsored by Secure Dedicated Offshore servers.
**** No charge Back or Trace Backs.
We have MoneyBack and Reinbursement Policy with every minute of every day Support.
visit http://undergroundfunds.ru
Contact eMail _____ undergroundfunds (at) gmail.com
Contact Skype _____ undergroundfunds
Facebook _____
Website _____ http://www.undergroundfunds.ru
,
ICQ _____ 651395850
Youtube _____ https://www.youtube.com/watch?v=SXn_XjycFqw