I received an email a little earlier, informing me that my PayPal account has been suspended because I have two credit cards on the same PayPal account. I was asked to click on a link and verify my account details. Smell phishy? Hell yeah! A quick peek at the properties of the email revealed some pretty irrelevant URLs – the same goes for the link you had to click.

Obviously I didn’t click it, because (a.) I have a PayPal account but cannot activate it because (b.) I don’t have a credit card … never mind two. Obviously a phishing scam!

From Wikipedia:

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites (YouTube, Facebook, MySpace, Windows Live Messenger), auction sites (eBay), online banks (Wells Fargo, Bank of America, Chase), online payment processors (PayPal), or IT Administrators (Yahoo, ISPs, corporate) are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users,[2] and exploits the poor usability of current web security technologies.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

The sad part is that a lot people are not as security conscious as they should be where online matters are concerned. There are some simple steps to take if you suspect that said communication is a phishing attempt or an attempt to load spy-ware onto your PC:

1. Right click on the message (do so on the listing in your Inbox, not in the body of the email) and click on “Properties”. Click the “Details” tab and see if the sender’s address corresponds with that of the claimed sender – there will be a lot of gibberish, but the domain name of the sender should be obvious
2. Hover over the link that you’re meant to click (UNDER NO CIRCUMSTANCES ARE YOU TO CLICK IT UNTIL ABSOLUTELY CERTAIN IT IS LEGITIMATE!) – the address that you are about to click through to will appear in the status bar at the bottom (usually left). Check for the same as above.
3. If it is a phishing scam or you are uncertain – report it to the company/institution that the mail is supposed to be from by forwarding them the message; they’ll know what to do.
4. Delete the message!

Most institutions have a Security Centre that deals with this type of thing (normally flagged as “Security Center” on their website). Go to their website and look for the security center link – it should contain instructions on where to send suspicious correspondence to. If they don’t – phone them.

It is important that these (suspected) scams are reported. Financial institutions will undoubtedly react swiftly and you may help prevent others from falling victim to the scam.

Above all: USE YOUR COMMON SENSE!

• If it sounds to good to be true, it probably is.
• Banks and other financial institutions will (should) never ask you to verify sensitive details via email.
• These guys are good … extremely good … and they will take what they can without being caught – you will lose your money/fall victim to identity theft without any recourse
• Stay vigilant – don’t be caught asleep

I’d say “trust no-one” at this point, but that might be a little over the top.