PayPal Fraud: Phishy Business

Some customers of the popular PayPal online payment service were swindled recently after identity thieves used spam and phony websites to swipe their personal billing data and credit card numbers.

The PayPal scams and others like it point to the growing problem of identity theft on the Internet. The U.S. Federal Trade Commission reports that identity theft has been the top complaint registered in its Consumer Sentinel database for the past three years. And in July, Gartner said that in a survey of approximately 2,400 households, 3.4 percent of U.S. consumers had been victims of identity theft. Translation: More than 7 million consumers were victims of identity theft from June 2002 to June 2003.

The increased identity theft activity prompted the FTC, FBI, the National Consumers League and ISP EarthLink to publicly warn Internet users about the dangers of online identity theft scams. In particular, the groups pointed to the growing numbers of so-called “phisher” websites, which are designed to look exactly like legitimate Web addresses, such as Amazon.com, BestBuy.com and PayPal.com.

Customers of those sites are often lured by spam purporting to come from a customer support rep at the company. The e-mail messages provide Web links to the phisher sites and ask customers to update their account information, often threatening to cut off their accounts if they don’t.

When victims enter their information into forms provided on the phony sites, that information is sent to servers owned by the thieves, which are often located outside the United States.

Since the beginning of 2003, a number of high-profile companies have had their good names sullied by phisher e-mail scams, including Citibank NA and Best Buy.

CSOs can take steps to educate employees about such dangers. The FBI suggests the following tips:

• Exercise extreme caution when responding to unsolicited e-mail messages that ask you for personal, financial or identifying information, such as a Social Security number, account password or credit card number.
• Navigate to a company’s website yourself if you need to update account information, rather than following links to a site from an e-mail message or another website.
• Beware of sites that have long or odd-sounding domain names. Phisher sites often use legitimate-looking Internet addresses. For example: www.paypal-billingnetwork.net was the address of a recent phisher site targeting PayPal (www.paypal.com) customers.
• Report suspicious e-mail messages to your ISP, and contact the company in question if you have concerns about an e-mail message that you received.
• Contact your local police if you feel you’ve been victimized, and file a complaint with the FBI’s Internet Fraud Complaint Center at www.ifccfbi.gov.