« Know Your Target Audience's Language | Main | Reading the News Today—Oh Boy... »

October 02, 2005

Imagine that you're a new or occasional PayPal user. You may have entrusted the firm with not only your credit card information, but perhaps access to a bank checking account to facilitate direct funds transfer. You switch on your computer one sunny Sunday morning, only to find not one, not two, but four email messages claiming to be from PayPal:

It turns out that none of these messages comes from PayPal. They're all phonies, attempting to lure unsuspecting users to give up their PayPal user IDs and passwords. The sites where the active links lead to are located all over. Two are in Germany (different ISPs), one is in Hong Kong, and the fourth is in Iran.

I would hope that a newbie receiving a barrage like this would be suspicious enough to wonder about the messages' authenticities. At the same time, alas, it wouldn't surprise me if plenty of folks would respond to not one, not two, but all four requests for information out of fear of having PayPal suspend their account—confusing the message quantity and variety with urgency.

One of these four sites, by the way, is particularly dastardly. The crook managed to either set up or hijack a Web server that provides a secure socket layer. Not only does the URL to the site contain the https protocol, but the site really does have a digital certificate. A modern Web browser might, however, alert the visitor to the fact that the certificate was not issued by a verified authority. The certificate says it's "PayPal, Inc." but the certificate is self-signed, and looks very different from the one at the real PayPal site. I'd be surprised if more than 5% of PayPal's members could tell the difference, no matter what kinds of red flags the browser raises.

Let's hope someone is at home at the ISP in whose IP address space this bogus "secure" site is located, and will shut it down ASAP.

A Reuters news story from December 8, 2004 quoted Howard Schmidt (special adviser on cyber-security in the the first term of our current president), who believed that the combination of new technology and law enforcement would essentially stamp out phishing scams:

"I firmly believe that at this time next year we will be able to say that phishing used to be a problem."

Tick tock.