Most spam is simply annoying - a waste of time, effort, and computer resources, to be sure, but not usually dangerous. However, a small but significant number of spammers go beyond being merely misleading or offensive by actively trying to defraud people.

Their methods are increasingly sophisticated, both technically and socially, and many are now focusing their efforts on major ISPs, online retailers, telecommunications carriers, and, for my discussion here, the popular PayPal online payment service, which is owned by eBay.

<http://db.tidbits.com/getbits.acgi?tbart=06260>
<http://db.tidbits.com/getbits.acgi?tbart=06862>

Email fraud is nothing new. It follows naturally from the methods criminals use in mail, wire, and telephone fraud. The notorious "Nigerian banking" scams have even been traced back as far as the 1920s, when they were conducted through the mail and involved a fictitious Spanish prisoner instead. But the Nigerian banking scams are almost laughably obvious, whereas the new scams aimed at PayPal are really quite subtle.

<http://www.snopes.com/inboxer/scams/nigeria.htm>

Why PayPal?

PayPal is not to blame for the situation. Some people dislike the service for a variety of reasons, but PayPal's staff makes significant efforts to keep it both secure and easy to use, two goals that are sometimes at odds. So why are these scam artists targeting PayPal?

People trust PayPal with information about their bank accounts and credit cards. PayPal is widespread, with many of its users maintaining a significant balance of funds in their PayPal accounts. A large majority of eBay auctions accept PayPal, and many services outside the eBay community use it as well - including TidBITS's own PayBITS author-payment system. Put bluntly, PayPal is where the money is.

<http://db.tidbits.com/getbits.acgi?tbart=06909>
<http://db.tidbits.com/getbits.acgi?tbart=05499>

Also, it's simple for nearly anyone with Internet access to use PayPal. That means many PayPal users are unfamiliar with the details of how Internet email and online transactions work, even if they use those technologies every day. With a bit of effort, criminals can convince even fairly experienced Internet users that they are logging into the PayPal Web site, when in fact they are giving personal and financial information away to unknown parties.

In short, PayPal appeals to fraud artists for the same reason it appeals to users: it makes accessing and transferring money entirely online both easy and quick. So people also can be tricked into losing their money quickly, easily, and entirely online.

Why Me?

How do PayPal scammers get your email address? The same ways other spammers do, which include harvesting addresses posted in Usenet and on Web pages (perhaps especially if you have a PayPal payment link on your site, as I do), obtaining illegitimately compiled databases of addresses from unscrupulous companies with whom you might do business, crawling eBay's active auctions looking for usernames, and unleashing semi-random "dictionary" attacks on major email providers such as Hotmail, EarthLink, AOL, and Pobox.

<http://www.faqs.org/faqs/net-abuse-faq/harvest/>
<http://www.wired.com/news/infostructure/0,1377,57132,00.html>

Since so many people use PayPal, even random spamming of millions of email addresses will turn up a fair number of people who have PayPal accounts, and therefore some who can be convinced that PayPal needs them to re-type some information.

Anatomy of a Scam

Like most varieties of spam email, every PayPal scam is slightly different. The goal of each one, though, is the same: to mislead victims into believing that they are communicating with PayPal, so that their trust in it, and thus their money, can be misappropriated.

Usually that attempt takes the form of an email forged to look like it comes from PayPal, claiming that the company is trying to verify its customer list, has had a database problem and needs some information re-entered, or has another apparently legitimate reason for you to log in with your user name, password, and maybe credit card information and ATM code. The email might include a link to a site that seems to be owned by PayPal, but is not, or the email might include an HTML form itself, as the one I received last week did:

<http://www.penmachine.com/paypalscam/>

Over time, the perpetrators of these scams have gotten tricker. Early versions were plain-text email messages with links that were obviously misleading. More recent attempts are HTML-formatted messages with genuine PayPal logos (sometimes linked directly from PayPal's site) and a layout similar to PayPal's genuine Web pages.

There are still signs that give away the real nature of these messages. Every one I have seen has errors in design or language that are unlikely in correspondence from a legitimate company. The writers might misspell words or use them sloppily (such as writing "e-mail" in one place and "email" in another), use slightly inconsistent font sizes, or have spaces missing between words. Often the phrasing that isn't stolen directly from PayPal's own pages is off-kilter and strange, obviously not written by professionals. Another giveaway is URLs that point at IP numbers or other domains rather than the paypal.com domain. With HTML email, though, you must view the source of the message and scan it carefully to find these telltale signs.

Yet for someone who isn't a technical writer and editor like me, those mistakes are easy to miss. The scam email I received last week is even set up to redirect you to the real PayPal site after it has harvested your personal information, so unsuspecting victims may never know they had been duped until the money started disappearing from their PayPal account (a good reason to check your account activity every so often too).

Consequences and Precautions

Crooks who manage to obtain your name, email address, password, and banking information are in a position to drain your PayPal account of all its funds, at the very least. They could also launch fraudulent auctions in your name, launder money, or (in the extreme) use the information they have as the basis for identity theft. These are not misdemeanors, but serious crimes.

<http://catless.ncl.ac.uk/Risks/22.82.html#subj11>

So, if you use PayPal, you should be cautious. Fortunately, that's easy to do. First of all, PayPal never sends email messages requesting your password. Any transaction requiring you to log in goes through the paypal.com Web site and uses a secure (https), encrypted connection (so make sure you see https at the beginning of the URL in your Web browser's address field and paypal.com as the URL's domain name). Be careful, though, since some scammers are using unusual URLs that use the paypal.com domain as a username for another site, whose domain is hidden later on in the URL (after an @ character). So if you see something like the following URL, your browser is actually going to example.com, not paypal.com.

<https://www.paypal.com:abc%123@example.com/>

PayPal itself maintains a repository of useful anti-fraud information in its Security Center:

<http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/security-main-outside>

If someone attempts to defraud you with a PayPal scam - even if you don't respond and suffer no loss - the "Report a Problem" link on PayPal's Security Center page lets you tell the company about it so that it can try to track down and prosecute the offenders. The company also encourages you to forward any scam email messages purporting to involve PayPal (including all headers) to <spoof@paypal.com>.

PayPal remains profoundly useful. We must learn to recognise those people who are trying to degrade that usefulness and steal our money, just as we recognize suspicious activities in other areas of our lives. One simple way to avoid any problems is to log into PayPal only when you type its URL into your browser yourself.

The situation reminds me of a Calvin and Hobbes cartoon where Calvin brings a note to school, written in big lettering using a pencil on lined paper: "Please let Calvin off from school today as his genius is needed on a matter of vital national importance. Signed, The President. P.S. Really." With a bit of scrutiny, you too can learn to spot fraudulent messages.

[Derek K. Miller is a writer, editor, drummer, and stay-at-home dad in Vancouver, Canada. He maintains a disturbingly extensive weblog journal on his Web site.]

<http://www.penmachine.com/>