Yesterday, I fell for a phish. I provided sensitive personal and banking information to scammers, including bank account details and password information, responding to this fake PayPal email.
How could I be so stupid? I mean, I’m a fairly sophisticated Internet user and know well how scammers use legitimate-looking emails to mine for confidential information to clean out bank accounts and steal identities.
I was vulnerable.
This email arrived in my email box while I was on the phone with PayPal. The organization had restricted my account the day before because of concern about potential online fraud.
PayPal had concerns about some traffic and transactions in my account — and on review, there appears to have been a strange recurring draw of about $5.00 a month from some unknown Vietnam-based organization. Various online forms asked me to provide my photo ID (drivers licence and passport) and one asked me to review and explain several recent transactions.
Undoubtedly, I felt frustrated about this limitation. We use PayPal for a diversity of transactions, and our account is a bit more complicated than most. Our business has U.S. and Canadian divisions, and I’ve associated the PayPal account with our U.S. bank. I had a significant imminent contract payment on the U.S. side.
PayPal’s client services work quite well, and the human on the other end of the phone said, once I provided the requested information, that everything appears in order and the account likely would be restored soon.
I hung up, to discover the phishing email, which, in the circumstances, seemed entirely legitimate.
My thought: They’ve already asked for more information, so this may be part of the validation process. I clicked on the phish link. The con-artists generated a legitimate-looking form asking questions that seemed in order in light of my recent experience (like minutes previously). There were some oddities, however. The form indicated things weren’t complete when I entered my full first name, and when I left a piece of information out that I didn’t have — related to some credit card verification data — the form didn’t bounce — it accepted the results.
Seconds after I clicked “send” on the fake information form, I thought — “Oh no — this doesn’t seem right.” I looked at the email again, and noticed that it didn’t actually link to PayPal.
Time for some urgent damage control. I changed my bank’s electronic password and called the U.S. bank, explaining the problem. The person who answered the phone arranged to replace my debit card. So far, there don’t seem to be an irregular transactions, and of course if the scammers try to use the password and account information I provided them, it will bounce.
So, I suppose I’m okay — a minor inconvenience (won’t be able to use my debit card for a while until the replacement card arrives) — but no great hardship.
I’m sure most people don’t fall for these scams, but every day, some do. And, as I’ve learned through a hard lesson, even smart people can be vulnerable in the right circumstances. Be careful.