I almost fell for it…

by DanB

It’s scary how easy is to be snared in an email “phishing” attempt. I have told you how to avoid phishing attempts several times in the past. Now get this – I almost fell for one of these scams just last week.

The particular email that arrived in my inbox claimed to be from PayPal. The subject was “Restore Your Account Access.” Normally I just delete these and go on. This time was different. My PayPal account had been restricted. I was eagerly waiting on a reply from PayPal that access had been restored.

When I saw the email I almost clicked the link. Almost. It is easy to see how people fall for these phishing attempts. What caught my eye and kept me from clicking?

First I took my own advice and just logged directly into my PayPal account. The account was still restricted and there was no new information to be seen.

Second was the very handy “Display Mail User Agent” Extension inside Mozilla Thunderbird. I use Thunderbird for my email and have several extensions installed. This particular extension does one thing – it shows an icon telling you which Mail User Agent (MUA) or email client was used to create the email. In this case it said the email was created in Microsoft Outlook.

None of my official email from PayPal has been written in Outlook. That should have been my first clue. Here is a picture of the false PayPal email along with icon from “Display Mail User Agent”:

Click the picture for a larger image

This experience brought to mind a local news story from last year. It seems a lady had her eBay account hacked. She was adamant that she never shared her account details with anyone. Then she showed how she only clicks on links in emails from eBay. Obviously she was caught in a phishing scam and didn’t realize it.

What happened with my PayPal account? They restored access the very next day.

You can read a previous article on phishing and how to avoid getting taken here:


Be careful out there.

~ Dan

© 2007 Dan Butler

Dan Butler is the Editor-in-Chief of TNPCNewsletter.com and the
author of the amazing new book that shows you how to save your
identity, get your email read, and put more time into the things
you really enjoy…

  • Tim

    Also try selecting an email in Thunderbird then clicking Ctrl U to display the email properties. Then scroll down and look for the URLs within the email: invariably they are dotted IP addresses or non-Paypal (or whatever legit company they’re mimicking) links. Also the From email often is clearly not PayPal but that’s often easy to spoof.

  • Leishalynn

    My first tip-off would be the salutation, “Dear PayPal Member.” PayPal always uses your real name in correspondence from them, so you know it’s really them. I delete everything that doesn’t include my real name.

  • http://www.handicomp.blogspot.com Doug Godbey

    Whew! That was a close one! Thanks for the tip, Dan. I’ll install that extension right away! I’ve been keeping up with all the lotto, ‘Please Help’, and other phishing emails and I have to tell you, I would be a VERY rich man if they were real. $1.6 BILLION so far over the past 2 years. I’ve decided that email from any lawyer or ‘government’ official that uses a Yahoo mail account or anything from Africa is truly bogus. ;-)

    Keep on with the good work!


  • Russ Edwards

    I also got the PayPal hoax. I did not open it. I’ve never dealt with
    PayPal so I knew it was fake and only wanted me to give them info.
    Fake PayPal and fake banks wanting
    me to update my info make me the maddest.

  • http://www.TalkTheirTongue.com John-hans melcher

    I too WAS caught! Savvy web man…me. Yup…Here’s what happened. I’m typing fast and getting much done on email…I’m in the mode. I see the Ebay link…click it in my efficient mode…then sign in…then WAIT! this is not an Ebay link. I raced to Ebay and changed my password within 60 seconds….

    they almost got me! So we can never let our guard down…even we fast typists. I was humbled to say the least.

    May your days be wise….like a man and not a ‘guy’. :-)


  • Bob Marconi

    One of the first things I do is mouse over the link and look at the address that shows up. Of course it’s never from PayPal. Off the the trash it goes.

    If I do suspect it is from PayPal, I log in directly, never from the provided link.

  • Larry

    I had the same thing happen as John-Hans. I got an email from an eBay buyer asking about an auction I had going. Problem was I didn’t HAVE any active auctions at the time. I missed all of the telltale signs and clicked on the link. I wasn’t signed on to eBay, so nothing came up and then I noticed that the ITEM number was completely off – not enough digits!
    I changed my password anyway just in case and nothing has happened since then. BUT…. I’m EXTREMELY careful about these phishing emails and this one just caught me since it sure looked legit.


  • Peter

    I have had a few dozen or so like that.As was mentioned,a dead give-away is the impersonal address and of course the link.
    When I’m curious, I check (in Thunderbird) View > Message Source.
    That will give you all the headers
    and more.
    After that I send it to
    If enough people do this,it may lead them to the culprits and possibly prosecute them.

  • Ruby


    That was close..I received a similar email except is was about a PayPal chargeback–get this I had a CC we canceled due to fraud and a few of my PayPal payments were caught in the cross-fire. So I thought maybe one had slipped through the cracks. The email looked a bit strange so I looked up the transaction number on PayPal and could not find it. I went back to the email and noticed that it didn’t include the payee’s name.

    I immediately forwarded the email to PayPal Spoof address.

    The question I have is this — how are these things getting so close to the real thing and so timely?

    Stay Safe……

  • Alan Wheatley

    Thanks for this, Dan

    In addition to the ‘Display Mail User’ agent’s evidence, I would find the ‘undisclosed recipients’ tag in to ‘To’ field rather suspicious.

    Sure, the department at the real PayPal might want to send a standard format message by e-mail using as much automation as possible, but ‘undisclosed recipients’ seems a little too low-tech and impersonal to me. The messages I get from you, by contrast, are addressed to ‘Alan Wheatley’.

    Warm regards

    Alan Wheatley
    London, England

  • William (Bill) Carew

    Morning: I use MailWasher for my “frontend” to my email and Pegasus is my email client.
    I am able to see/read the real
    destination hidden in a URL.
    It is fairly simple to pick out the phoney links.
    Of course, the best safety method to employ is to type in the proper address into your browser such as the PayPal one.
    Cheers… Bill
    Peterborough, Ont.

  • John Pulliam


    AS mentioned before, use the PayPal spoof email address (spoof@paypal.com) whenever you get an email you’re not sure of–of, if you’re really mad at the spammers and want to make life difficult for them. PayPal follows up on EVERY spoof forward they get (don’t forget to forward as an attachment, so they get EVERYTHING, including images and any attachments), and will usually let you know within 24 hours if the email was legit or not, and what action you need to take.

    eBay has a spoof email address, as well (spoof@ebay.com), and works the same way, with the same turnaround times.

    And, fyi: it was your newsletter that prompted me to find this info, because the FTC also has a spam forward email (spam@uce.gov) for the same purpose. I found the spoof emails for PayPal and eBay, and have been using them ever since.

    Keep up the good work, and please spread the word on these emails, they are necessary in the battle against spam.

    McKinney, TX

  • http://www.QuerkeyTurkey.blogspot.com Catmoves

    I have several email addresses, but Google seemed to get the most of these phishers. I had absolutely no trouble in NOT opening them and consigning them to limbo where I send spam.
    You see, I don’t even have a Paypal account.

  • Azhari

    Im in Australia and I receive it too. The basic clue when I clicked the link, the Secure-Lock icon did not appear. It look exactly like the legit PayPal. Phishing has no boundary in Internet!
    Good Work mate.

  • Graham Nelson

    Fire Trust’s SiteHound is worth a look for steering you away from rogue sites, and not just the phishers. Plus it allows you to report those you find yourself, too. I’ve been quite happy with it so far … and it works okay with Vista Home Premium!!! (Dig, dig, Mr Microsoft.)

    BTW, for phishers posing as from eBay or Paypal, just forward them as they are, with no comment required, to:

    spoof@ebay.com and spoof@paypal.com

    They then acknowledge receipt of the email and follow up to confirm if the contact was a phishing expedition.

  • Bill

    I have a Yahoo email account. Every day I am offered payments of $3M to $50M from various entities. 10 to 20 spam or phishing mails are delivered to me every day. Sometimes it pays to delete all of them unless you know the sender.

  • http://wsdstaff.edublogs.org/ Russ

    There seems to be a pattern here. I can not add anything different from what has already been said. Just this week, one of those came to my inbox.

  • Bruce

    I listen and heed warnings from guru’s like yourself and was not taken in by the PayPal phishing expedition. I did, however, forward it to PayPal so they could do something about it.

  • http://LarHawk.googlepages.com/home Larry Hawk

    Also if you receive anything from Papal, Eba, etc. before you open that email in Outlook Express check out..
    Message Source.
    This will show you where the email originated, and should give you a clear view if the email is valid. Also use Dan’s advise and check with your personal Papal account for messages before opening any suspicious emails

  • http://LarHawk.googlepages.com/home Larry Hawk

    I forgot to mention to send the message “source” (from Properties) to you ISP. My provider will hunt them down, and yours probably will too. We need to fight back, and this is the way.

Previous post:

Next post: