John C. Kirk (johnckirk) wrote,
John C. Kirk

Screening for gullibility

I've received a few variations on the following message, claiming to be from PayPal:

Dear PayPal Customer,

You have added as a new email address for your Paypal account.

If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, click on restore account PayPal and follow the next steps.

Restore Account PayPal

NOTE: For security reasons, we will record your ip-address, the date and time, Deliberate wrong inputs are criminally pursued and indicated.

Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

If you choose to ignore our request, you leave us no choice but to temporary suspend your account.

Sincerely, PayPal Account Review Department.

Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your PayPal account and choose the "Help" link in the footer of any page.

Unsurprisingly, this is a fake "phishing" message. Aside from the poor English, I always hover over links before I click them, and I could see that this didn't go to the real PayPal website. (I've removed the dodgy link to stop anyone clicking it by mistake.) Also, it gets "SFAIL" status from an SPF check, i.e. the email wasn't sent from one of PayPal's mail servers.

However, suppose that I did believe that this was a real message from PayPal. It still doesn't make sense! They initially say that I should log in if "an unauthorized person has changed your email", which implies that I don't need to do anything if this was a legitimate change. They later say that they'll suspend my account if I ignore this message, but that would be rather harsh if I had actually added the new email address myself. In actual fact, the spammers know that this is a fake email address (because they made it up), but the real PayPal wouldn't know that, so the spammers are sabotaging their own attempt by relying on that knowledge.

I assumed that this was just incompetence on their part, but Microsoft Research have a different theory (link via The Old New Thing). That specifically applies to Nigerian scams, but the premise may apply here too. Basically, the scammers don't want to waste time making contact with people who will get suspicious, so they want to pre-select the people who are so gullible that they'll ignore all warning signs (e.g. glaring contradictions). I haven't read the whole research paper yet (since it's 14 pages of maths), but it's an interesting idea.
Tags: scam, spam

  • Comics clearout

    I'm having another clearout of old comics. These are all now available in digital format (Marvel Unlimited and/or Comixology) so I no longer need the…

  • Life Stripped Bare

    A few months ago, I watched a Channel 4 documentary: Life Stripped Bare. It's still available via 4OD, although you have to log in first (which is…

  • Comics clearout

    I'm having another clearout of old comics, mostly from the 1990s. These are all now available in digital format (either on Marvel Unlimited or…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded