Security

Report scams: fraudulent emails and websites.

Report Phishing or Spoof email

If you receive a suspicious email FORWARD it to spoof@paypal.com. Our security experts will be able to look at the email to determine if it is a fake. If it is a fake, then we will get the source of the email shutdown as quickly as possible. By reporting these emails you will protect yourself and everyone else too.

There are some hints about identifying scam email below but it is often very difficult to tell for sure since the scammers adjust their tactics. So, if you have the slightest doubt, send it to our experts for investigation.

Note: Please FORWARD the suspect email don’t cut and paste the contents because valuable tracking information about the source will be lost.

What is phishing?

“Phishing” is an attempt to steal your information. Criminals pretend to be a legitimate business to get you to disclose sensitive personal information, such as credit and debit card numbers, bank information, account passwords, or Social Security numbers.

One of the most common phishing scams involves sending an email that fraudulently claims to be from a well-known company. However, it can also be carried out in person, over the phone, via malicious pop-up windows, and "spoof" or fake websites.

How Phishing Works

  1. A criminal sends a large number of emails to people using lists of email address identified as active or at random. These emails appear to be messages from a well-known company. A common example contains a fictitious story designed to lure you into clicking on a link or calling a phone number.
  2. The phishing email will ask you to fill out a form or click on a link or button that take you to a fraudulent website.
  3. The fraudulent website mimics the company referenced in the email, and aims to extract your sensitive personal data.

In essence, you think you're giving your information to a trusted company when, in fact, you're giving it to a criminal.

Note that phishing emails can also lure you to open suspicious attachments or visit websites that can infect your computer with malware.

How to Spot a Fake Email

There are many telltale signs of a fraudulent email:

  • False Sense of Urgency – Many scam emails tell you that your account will be in jeopardy if something critical is not updated right away.
  • Fake Links – These may look real, but they can lead you astray. Check where a link is going before you click by hovering over the URL in an email, and comparing it to the URL in the browser. If it looks suspicious, don't click.
  • Attachments – A real email from PayPal will never include an attachment or software. Attachments can contain malware, so you should never open an attachment unless you are 100% sure it's legitimate.
  • If you are not sure whether a PayPal email is legitimate or not, here is what you do: Do not click on any link in the email. Instead, start a browser, go to PayPal and log in. If there is any urgent message for you, you will see it as you log in.

Here are some examples:

  • You receive an email stating: “Your order #ZK04769 is confirmed for shipment tomorrow. Please click here to review the shipping details.” But you never placed an order so you click on the link and login to see what it is. Only later do you realize that the link took you to a bogus website.
  • You receive an email stating: “We have noticed suspicious activity on your account. Please click here to review your recent transactions.” Once again the link takes you to a page that looks correct but is really a bogus link.
  • “We would like to offer you a special $50 coupon for being such a good customer. This offer is limited to the first 100 people so click here immediately to claim your reward.” Instead of a reward, you are directed to a fake website where you might give up your account id and password which the scammers will use to spend from your account.

Phishing Resources

Here are some useful links to more on phishing:

Smishing

Phishing can come through your phone via voice or SMS. Smishing is when a scammer sends an SMS message to your phone number with a bogus phone number or URL. The message is usually urgent like:

“Your PayPal account has been suspended due to suspicious activity. Please contact us immediately at 1-408-123-4567. It is imperative that we speak to you immediately.”

“PayPal: You spent $1293.17 USD at The Home Depot. If you did not make this transaction please call us immediately at 1-408-123-4567. Thank You.”

If you call the number, you are confirming that you have a PayPal account. When you call you will be talking to a fraudster who will ask for your account information so he can steal from your account.

Similarly, a URL link in a text message on a smartphone could be bogus.

“PayPal: You spent $1293.17 USD at The Home Depot. If you did not make this transaction please login at paypal.mobileservice2013.com/txn?id=178948 to stop this transaction. Thank You.”

Note the bogus URL in the message. You should be suspicious of text messages containing links. If you are ever in doubt about the validity of a link, type www.paypal.com into your browser yourself to log in.

Vishing

Fraudsters will use an automated system to make voice calls about urgent account problems and ask the victim for account information. This is called Vishing. For example:

"This is PayPal calling about a possible fraudulent transaction on your account. Please enter your PIN now to hear the transaction details. We need your immediate response to block this transaction."

If the user enters their PIN or password, the scammers will get more information to accesses the account. Never provide any account information if you did not originate the phone call.

CallerId cannot be trusted. Even if the CallerId says PayPal, this is not sufficient for you to trust the call. It is easy for scammers to fake the CallerId and there is no way for you to know.

Sometimes the automated calls will ask you to call back. They will leave a number or you can just click call from your smartphone. Don’t call the number that the scammer provided. If you need to contact PayPal, go the Contact Us link on any PayPal page for the real phone number.

How to Spot a Spoof Website

Watch out for the following:

Deceptive URLs

You can’t tell if a website is real just by looking at the pages since it is very easy for scammers to simply copy the real websites content. You need to look at the web URL to be sure that you are on the real website.

When accessing the real PayPal site the address should start with https:// not http:// and the web security icons should show.

Some criminals will place a fake browser address bar over the real one, so it appears you're on a legitimate website. But even if a URL contains the word "PayPal," it may not be a PayPal site. If the URL address looks overly complex, it is probably not the real website.

Example of fake PayPal address:

Valid PayPal URLs should start with https://www.paypal.com. Sometimes the “www” will be replaced with other letters but the “paypal.com” should immediately follow. The second example above includes paypal.com but the website is really hmmmm.com which is very suspicious.

PayPal also commissions 3rd party domain addresses using the format paypal-xxxx.tld which attempts to keep PayPal at the front of the hyphen unlike the first example (secure-paypal.com), but this format is also not exclusive to PayPal, as anybody can purchase a domain name. Thus, to confirm PayPal ownership of the site, check that:

  1. The format is in keeping with PayPal 3rd party domain naming guidelines, namely paypal-xxxx.tld where tld is Top Level Domain, thus country domains are acceptable here, e.g. .us, .cn, .ru or .de as well as .com or .net
  2. The Green EV SSL secure bar is present and identifies the site as owned by PayPal, Inc., or PayPal Pte Ltd.

If you find a suspicious link or a suspicious website you can report it here. Our security experts will investigate the report. If it is a bad website, we will get the site shutdown. By reporting a suspicious link you can protect yourself and other people too.

Site Safety Rating Tools

You can’t always catch suspect links before you click on them, but there are several site safety rating tools that can help protect you while you are browsing. These services collect reports about suspicious sites and rate them. These free tools can preempt you from going to a site that might infect your system with malware:

These won’t catch every bad link because the bad guys keep creating new ones. These tools can be a good first defense but you still need to be suspicious of strange links.

If you fall for Phishing, Vishing, or Smishing

There are plenty of clever scam attempts and new ones are being created all the time, so despite your best intentions it could happen. If you have a suspicion that you fell for a scam here are some steps to protect yourself:

  1. Change your account password, PIN and Security Questions immediately. Do this for your PayPal account, email account and your other online accounts.
  2. Run an Anti-Virus scan on your system to make sure that you did not pick up a virus. Make sure that your system and Anti-Virus software is up to date.
  3. Check your online account statement vigilantly over the next few weeks and months for unexpected actions.