PDA

View Full Version : Spouse partially responded to paypal phishing email


Oops
06-25-2005, 12:26 PM
This morning as she drove off in the car, my wife told me she had received an email from PayPal saying there was a problem and that she'd tried to respond but that she didn't know the full credit card number. I told her that it was a fake email and rushed into the house to log into her account.

I emptied Safari's cache and reset Safari and then used it to go to PayPal's website directly to log into her account. Well, it would not let me log in. When went to the 'Did you forget your password', it told me that it did not have her email address in their records. Similarly with the only old email address which she would have used. It seems like someone had already logged into her account and changed her email address. So I did as much as I could do, and I hope it works out ok*.

Question Can they get her credit card number from the paypal account?

My first thought would be 'No.' I logged into my account and all I could see were the last 4 digits, and it did not seem to want to show me any further digits. However, I also tried to change my email address. When I entered a new email address, it immediately confirmed it by sending both email addresses an email. When I tried to remove the primary email address first, it would not let me do so. So I don't know how these people were able to change my wife's email address and remove her email address without my wife getting a confirming email about it. If they were able to do that, then perhaps they can get access to the full credit card account number?


*I reported the email to spoof@paypal.com and asked them to close that account (although, without the account name/email address I don't know if they could do that). I also reported it from a security link on their web page, and I also called them on the phone (but had to call my wife where she was to have her call in because they would not speak with me about her account).

Caius
06-25-2005, 12:54 PM
Lovely username to have underneath the title of this topic ;)

I think talking to paypal is the best thing you can do under the circumstances, and watch the credit card very carefully, or even cancel it to be overly careful.

voldenuit
06-25-2005, 02:02 PM
There is no such thing as overly careful with paypal.

And although talking to them may to be both sensible and sufficient, you'll discover that it can be extremely cumbersome and they'll require you to jump through more loops you'd ever imagine.

First make sure they can't get any money from you by instructing the real banks associated with your paypal account appropriately. That can include the closure of accounts and cancellation of credit cards.
Also contact your local law enforcement agencies in a provable manner.

Paypal tends to take the money where it is, regardless of legality, you should urgently inform yourself with specialised sites and forums, this kind of scams works a lot better than it should, don't be overly confident.

Oops
06-25-2005, 03:37 PM
Thank you for your responses.

My wife called PayPal and tracing back using her name (not email address) they say the only time she ever used PayPal was with an old, closed email account and she has never updated it to the current email account. Thus, the email address she entered into the page is not for a valid account. I went to the page myself and entered a bogus email address and password and it accepted it like it was a real paypal account and then took me to the page where it asks for the credit card account number...this is what they really wanted. Had they tried to use the account email address that she entered, they would also find that there is no such account. I had earlier tried getting in with the old email address that PayPal mentioned, and I couldn't get in that way either.

The thing that still bothers me is that PayPal says that my wife has never had an account with them. Given that she used them one time to buy something on the web with a credit card, doesn't that mean that she has/had an account with them? Anyway, I think we got lucky this time...I don't think she'll respond to one of those again.

voldenuit
06-25-2005, 09:25 PM
Don't rely on getting lucky here.

Have PP send you a piece of paper where they confirm that you don't have an account with them any longer.

Should anything go wrong after that, you can take PP to court and be sure to win.

You probably just experienced a pretty cheap lesson on applied security.

Offering her Kevin Mitnicks book "The Art of Deception" could be an entertaining conclusion to this episode, both funny and eye-opening.

cwtnospam
06-25-2005, 09:37 PM
This morning as she drove off in the car, my wife told me she had received an email from PayPal saying there was a problem and that she'd tried to respond but that she didn't know the full credit card number. I told her that it was a fake email and rushed into the house to log into her account.

I've received the same phishing email several times today. After the last one, I tried to mess with them by providing a bunch of incorrect information, phone numbers of police stations, etc. but it turns out their software checks to validate the credit card number. Anyone know of a way to fool their system? I'd love to turn this scam back on them, even just a little.
:D

voldenuit
06-25-2005, 09:46 PM
When trying to have phun with them, you might wish to take into account that a fair portion of the phishing crowd is organized crime.
Make sure they don't ever get to know who you are...

Not much short from having a botnet to hammer their servers will be able to seriously annoy them.

ArcticStones
06-26-2005, 01:02 AM
When trying to have phun with them, you might wish to take into account that a fair portion of the phishing crowd is organized crime...

Organized crime barons & musclemen aren’t the only ones sensistive about issues such as extent/methods of credit card fraud.

A couple of years ago, I was writing texts for a brochure by Norway’s premier provider of security to credit card companies. Part of my suggested communications strategy was to put this in perspective. So I called VISA and a few other (both in Norway and at their international headquarters), asking a simple question: What is the annual extent of international credit card fraud?

When I told them why I wanted to know, and that I wanted to quote the numbers, they went ballistic. One of their representatives demanded my full name, the name of my customer and contact person -- which I gave them.

An hour later I called my contact and meekly told him "maybe I blew it". He laughed very loudly. Yes, he had indeed received a call three-quarters of an hour ago from someone high up the credit card company’s ladder. And, yes, the question I had asked was the most sensitive one of all. But no way in hell was I going to get any credit card company to put a cash figure on the problem -- neither for the credit card business at large, nor certainly for their particular company.

And so, of course, the brochure about my customer’s security software had to be presented without these impressive numbers.

:D

Best regards,
ArcticStones