Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Voice Phishing Hits PayPal 191 191

Chai Vanilla writes "The latest social engineering phishing attack is now using phones instead of fake web sites. Identity thieves have spammed fake PayPal account compromise warnings to lure users into dialing a phone number and giving up credit card information. Unlike normal phishing e-mails, there is no URL or response address. Instead, the e-mail urges the recipient to call a phone number and verify account details."
This discussion has been archived. No new comments can be posted.

Voice Phishing Hits PayPal

Comments Filter:
  • Tracability? (Score:5, Insightful)

    by celardore (844933) on Saturday July 08, 2006 @12:30PM (#15683482)
    Isn't this more traceable than just clicking on some IP in Russia? If I got an email asking me to phone any company, I'd be first looking for a landline. If it was a scam why couldn't I just call the phone company, give them the number and then they'd be able to trace it to an address or person?
    • Not in the VoIP era (Score:4, Interesting)

      by Andy Dodd (701) <atd7@c[ ]ell.edu ['orn' in gap]> on Saturday July 08, 2006 @12:37PM (#15683510) Homepage
      There are now plenty of companies (such as StanaPhone) that provide a free DID, all you need to do is register with them. Their business model is that they make money on outgoing calls, but most of them don't require payment until you actually decide to make such a call.
      • The numbers these companies provide will cause calls to be sent via VoIP to a computer or analog telephone adapter anywhere in the world. In this case, the number could be in California but you might in the end be connecting to a machine running Asterisk in Russia.
    • Re:Tracability? (Score:5, Informative)

      by this great guy (922511) on Saturday July 08, 2006 @12:46PM (#15683551)

      Haha ! Welcome to the world of Phreaking [wikipedia.org]... You might not know it but the telephone network is as easily hackable, vulnerable and exploitable as the Internet is today. Good luck tracing the bad guy who impersonated your credit card company you supposedly called on 1-800-XXX-YYYY, when he might have penetrated voicemail systems, set up temporary forwarding, hacked telephone switches, etc...

      • Re:Tracability? (Score:5, Informative)

        by Keruo (771880) on Saturday July 08, 2006 @01:05PM (#15683636)
        err.. 1980s called? Analogic phone networks are history in most places today. In order to hack the digital circuit switched phone networks used today, you'd need little more than a whistle and a tape recorder. Digital networks use physically separated medium for call control and signalling, and you won't get access to that medium without crowbar and selected location to crack at. And those locations are usually monitored 24/7.
        • Well the thing is :) usually Id theft phreaking in this day and age rely on simple 'human error' like misconfigured voicemails etc, to enable 'harder to trace' routing. but with the technology that's available, it takes about 10 minutes from the time a number is identified as a 'phishing' scam to the time it takes to completely secure any assets stolen.

          I know there have been articles about peer based communities who harvest all these scam mails by posing as idiots on the internet, and allow authorities to q
        • Re:Tracability? (Score:4, Informative)

          by FireFury03 (653718) <slashdot@nex[ ]k.org ['usu' in gap]> on Saturday July 08, 2006 @01:29PM (#15683722) Homepage
          Digital networks use physically separated medium for call control and signalling, and you won't get access to that medium without crowbar and selected location to crack at. And those locations are usually monitored 24/7.

          The SS7 network is certainly not built with security in mind - once you've gained access to a system connected to the SS7 net you've got a pretty free reign. Pretty much any large VoIP gateway will have an SS7 connection on one side and an internet connection on the other so crack one of them and you're sorted. Not to mention all the SIGTRAN enabled equipment that some moron has decided to plug into an unfirewalled internet connection.

          That said, I suspect the worst you'd be able to do is spoof a few calls, send a few SMS messages and add a few records to the billing systems.

          Besides, there are much easier ways of getting an anonymous DDI - just use one of the many PSTN-%gt;SIP gateways.
        • If the computers that run the phone system are built and run by fallible humans, they can be cracked. Even if only by social engineering or bribing a Telecom employee. Remember Jurassic Park? They had all the latest technology, but the coder was bribed by another company.

          Security is a process. There are always other ways than cracking to subvert it.
    • cause they could get sued for invasion of privacy by the scammer.

      So in the end it's a win win for the scammer :P
    • Sure it's tracable, right back to the voice mail they hacked because it had a default password, which rerouted it to some numbered account in some country where the officials are all too hapy to allow a few transactions slip past.

      fortunately, the time of trace to the time of shutting down those accounts is limited only by the proactive reporting of such fraud by end users. so usually, it should only take a few minutes to shut down the assets of such an account. a scammer would need ungogly luck to keep an
      • correction, sorry, you need luck far greater than luck herself can provide, with various community oriented projects to harvest, examine, and report fraudulent e-mail spam to the 'correct' authorities using peer to peer software :)

        It's awesome technology, and it's the reason why phishing and identity theft accounts are frozen and almost 99% of all stolen funds are recovered.
      • Re:Passwords (Score:3, Interesting)

        by tomhudson (43916)

        One guy up here was convicted for "hacking" into the local police squad's voicemail system.

        Everyone's password was (and I'm not making this up, and its NOT a Spaceballs reference) "1" "2" "3" "4" "5"

        For months he listened into all sorts of messages for the detectives, including from informants, wives and girlfriends (nice to be able to blackmail a cop by threatening to tell his wife about his action on the side), etc.

        You KNOW most systems have an easy password (or still have the default password).

        C

    • Re:Tracability? (Score:3, Informative)

      by SeaFox (739806)

      If it was a scam why couldn't I just call the phone company, give them the number and then they'd be able to trace it to an address or person?

      You think the phone company would just tell you who a line belonged to if you called them up?
      Nope. Even if the other party is calling you and harrassing you repeatedly you would have to file a police report and get the information sopenaed. The telco doesn't want to be named in any lawsuit if someone goes vigilante after getting the info.

      You can use reverse di

      • Re:Tracability? (Score:4, Insightful)

        by vux984 (928602) on Saturday July 08, 2006 @02:15PM (#15683918)
        You think the phone company would just tell you who a line belonged to if you called them up?

        You've got to admit it *seems* reasonable. After all they handed over the information on every call made in the country to the government without even blinking. Why not tell a customer about one little number? ;)
        • Why not tell a customer about one little number? ;)

          Because you can't pardon them for anything they might do illegally in helping you. The President can.

      • You think the phone company would just tell you who a line belonged to if you called them up?

        You can use reverse directories online and such, but that assumes the number is publically listed.


        I know, seriously... If you want that kind of data you have to give them some money first.

        Of course, if you do give them some money, they'll give you just about anything you want.
      • You think the phone company would just tell you who a line belonged to if you called them up?

        Actually, if you're using Sprint, they've even got an automated system to do it for you! [boingboing.net]

  • Easier to track? (Score:2, Redundant)

    by nurb432 (527695)
    Wouldnt having a phone to trace be more effective in catching them then a 'blind' and easily hidden behind webpage??
  • by canavan (14778) on Saturday July 08, 2006 @12:37PM (#15683511)
    I've gotten that phishing mail yesterday, and called the number (1-805-214-4801) immediately. The system's recordings were chopped and barely intellegible, and I was prompted to enter "my 16 digit credit card number" (which was indeed verified to at least follow the basic rules of correctess or be rejected), and its expiry date, but nothing like a name or even the paypal account data.

    Where can one complain about such fraudulent 1-8xx numbers to get them shut down? Additionally, how much does calling a 1-805 cost in the US, and is any part of the cost passed to the operator?
    • by Anonymous Coward on Saturday July 08, 2006 @12:46PM (#15683553)
      805 is Bakersfield, California, USA. You're charged whatever your long distance carrier feels like. If you go to the FBI website, you'll find that there's a link to file an Internet crime complaint. The link is here: http://www.ic3.gov/ [ic3.gov]
    • I don't believe that 805 is a toll-free number. IIRC, inbound WATTS lines are 800, 888, 877, and 866.

      From 411.com reverse lookup:

      (805) 214-4801 is a land line based in Newbury Park, CA
      The registered service provider is Pacific Bell**.
      Detailed listing information is not available.

      **Due to number portability, some numbers have been transferred to a new service provider
    • Lets be honest here, you were scammed but why? What was it in the e-mail that immidialtly send you to the telephone ready to hand over your credit card number. Why did you not check the paypal site for any confirmation or even just to check the number in question.

      Did you check the email headers, were they faked?

      You now know that you been had and that it was stupid, you are, judging from your ID, a fairly recent slashdot user but the mere fact that you are here probably means you have heard about phishing

      • He didn't say he was scammed, just that he called the number to see what was going on because he was curious. At least, that's how I read it.

        Besides, paranoia is not required, 24/7 or otherwise. It's very simple ... if someone or something contacts you asking for private information ... DON'T GIVE IT. PERIOD! Legitimate organizations just simply don't DO things like this, so any contact you receive that claims to be from such an organization is almost certainly fraudulent. I've had banks and credit cards
        • That is not true, banks over here (UK) do phone you up and ask for personal information for security reasons because they cannot discuss your account due to data protection laws.

          This is how a usual phone call goes:
          Bank: Good afternoon, I'm calling from Abc123 Bank, please can you confirm your date of birth and address.
          Me: Err, are you kidding. Which department are you in and what's your name and I'll call you back.
          Bank: I'm sorry, I can't go any further unless you confirm your date of birth and address.
          Me:
          • That is not true, banks over here (UK) do phone you up and ask for personal information for security reasons because they cannot discuss your account due to data protection laws.

            That's an absurd system, and UK banking regulators should be ashamed. To require a bank to behave in the same fashion as identity thieves is a gigantic and wholly unnessecary risk.

            Back here in civilization, we have these things called "passcodes." We also have a setup where the bank gives *you* a password which they'll replace on
            • Happens in Canada, too. Just this past week I had my bank call me to discuss "important banking information" with me, and asked for my mailing address, postal code and date of birth. They've called me before, and asked for different information. I used to work for this bank, and I know why they do it - because the person they reach may know some information about someone, but not all. So they're supposed to mix it up a little. Make it hard to predict what info the bank will ask for.

              When I told the g
          • Well, I live in the U.S. and I agree, anything can happen. What you're talking about is social engineering and it does happen on a regular basis. But the discussion was about remotely duping individuals into voluntarily relinquishing their personal info. What you say is true, people do scam banks directly, and there is very little you, as a bank customer, can do to protect yourself in that regard. On the other hand, there is a difference between some unknown entity initiating contact via phone or email and
      • by canavan (14778)

        Lets be honest here, you were scammed but why? What was it in the e-mail that immidialtly send you to the telephone ready to hand over your credit card number.

        No, I wasn't scammed. Which part of my posting misled you into believing that I could possibly have entered my real credit card number?

        You now know that you been had and that it was stupid, you are, judging from your ID, a fairly recent slashdot user but the mere fact that you are here probably means you have heard about phishing scams before especial

    • "The number you have dialed has been disconnected, or is no longer in service." It's gone. Skype seems to be saying Pooh Bear after the call ends though.
    • I got one this morning. 1-530-204-6800 - google tells me it's based in Sacramento, CA. Didn't call them, but I'm tempted to just to see what's on the other end. I'm wondering if these aren't just like those free voicemail services. I have a free voicemail number set up on an area code that points to, IIRC, Tacoma, WA. Takes faxes and voice calls, incomming only. I set up the outgoing message, and when someone calls, the message they leave is forwarded to an email address - for me, Gmail. Now, I've ne
      • I got that one too this morning. It traces to 01 Communications in Davis California. when I contacted them they told me the 6000 block is owned by CommPartners California. - the number is a VolP number. Sent an email to them and the Davis police.

        The only way to get rid of these scams is for everyone to report them to the phone company or service provider they are associated to.

        • I'm rather ignorant in such matters - how did you trace that number to 01 Comunnications? If these types of scams take off, it would probably come in handy to know how to do that. Was it just a 'call the phone company and ask' sort of thing?
          • I'm rather ignorant in such matters - how did you trace that number to 01 Comunnications? If these types of scams take off, it would probably come in handy to know how to do that. Was it just a 'call the phone company and ask' sort of thing?

            I just used a free reverse phone lookup. Just type that phrase into Google and it'll come up with several services. I always check several sources to make sure they come up with the same info.

            Once I got the main provider and their location, an email to their abuse d

    • Sweet, so anybody try calling that and giving it random numbers?
    • I got it yesterday myself. The area code was 503, which is Northern California (Chico, Redding, Truckee, etc.) I assume all these numbers are forwarded to a central location though. It's unlikely that many people had this idea simultaneously.
  • not surprising (Score:5, Interesting)

    by v1 (525388) on Saturday July 08, 2006 @12:40PM (#15683522) Homepage Journal

    There's a small degree of higher risk, but if you get a new disposable cell phone every three days and move around all day you'd be a hard mark to hit.

    Too many people are now aware of the "don't click the link" aspect of phishing, but I'm sure there are still pleanty of suckers that assume if they have your phone number you must be legit. I would not be surprised if they find a way to do this through US Mail in a way that hides their identity.

    It would be interesting if one day, to get such an online account set up, they make you pass a short test, where they give you ten examples of people asking for your account information in various ways, and you have to answer "give them the information" or "report the incident to phishing.ebay.com". Anyone that answers "give them the information" on any of the questions doesn't get an account.

    I wager that alone would eliminate 80% of successful phishes.
    • I live in Iowa. In the state of Iowa, to get a driver's license, you must pass driver's education.

      I would dearly love to have a high-school level course in computer usage, which would be required for anyone to connect to the Internet. Not going to happen, I know...

      Maybe just make it a part of the general education requirements?

      Most people think I'm a snobbish bastard, like every other Linux user. Which is true, to some extent. But I do believe we have a right to call people stupid when they do things li
      • by stonecypher (118140) <stonecypher&gmail,com> on Saturday July 08, 2006 @04:47PM (#15684454) Homepage Journal
        But I do believe we have a right to call people stupid when they do things like fall for a PayPal scam, buy from spam, send important (highly confidential!) information over email, refuse to apply patches (or not know how), and so on, and so on.

        Did you know that 85% of dead televisions just have a blown fuse? Did you know the $120 transmission fluid replacement at Jiffy Lube is a twelve dollar bottle of green grease, and the opening and closing of one valve? Did you know that almost everything a plumber ever actually does is run a drain snake and a plunger?

        I mean, we have Sex education, we have Driver's education, I don't think it's unreasonable that we know the computer equivalent of wearing a condom, stopping at red lights, buckling your seatbelt...

        Here's the difference: one costs people their lives, the other costs them an hour at the local computer shop. I don't think it's unreasonable that we know how to maintain appliances; nonetheless, nobody requires it, because that's batshit retarded.

        Most people think I'm a snobbish bastard, like every other Linux user.

        It's got nothing to do with your being a Linux user. It's because you're condescending and because you can't fathom that some people don't have the time or the desire to learn to maintain their computers. Believe it or not, some people have better things to do with their lives.

        Next time you pull into a jiffy lube, call a repair person, go to a barber shop, buy art tools, purchase clothes or engage in any service activity whatsoever, please remember that that's something you could learn to do and then spend your life doing, just like a seventy year old woman could spend a year reading tech sites and manuals and getting up to speed on jargon.

        Guess what? You don't want to either. You're just too dense to tell the difference.
        • And the jargon changes every few years, so older/non-tech folk become even *more* confused.

          I am one of the last of a dying breed; a draftsman that can take a clean sheet of paper and make it worth something using not much more than a pencil, straightedge and a piece of string.

          Today, CAD operators need tens of thousands of dollars in hardware and software just to get started. Leonardo must be rolling in his grave.
        • It's because you're condescending and because you can't fathom that some people don't have the time or the desire to learn to maintain their computers.

          If people don't take the time to learn to maintain their car the engine will eventually lock up on them. I can't change my own oil (well I probably could if I felt like reading up on it, I don't want to though) but I know how often it's supposed to be changed and take my car to someone to have it changed for me at the appropriate times. I didn't have to

    • It's not to hard to avoid this. Don't give them any information, hang up, got to the dern intarnet or your phone book and look up their customer service number and call that number back. If they say, "we don't know what you are talking about" then it is a scam. I recently spent 20 minutes on a phone call from a recruiter who was looking to fill a contract position for a major bank. That means they want background and credit checks. He wanted a SS number. I recognized his firm's name and I told him send
    • "I wager that alone would eliminate 80% of successful phishes."


      And, not so incidentally, 80% of PayPal's customers.
    • It would be interesting if one day, to get such an online account set up, they make you pass a short test, where they give you ten examples of people asking for your account information in various ways, and you have to answer "give them the information" or "report the incident to phishing.ebay.com". Anyone that answers "give them the information" on any of the questions doesn't get an account.

      Why should ebay care? They don't bear the cost of phising, you do.
      • Why should ebay care? They don't bear the cost of phising, you do.

        Nonsense. I've had someone attempt to take advantage of me through PayPal, and PayPal ate the cost. Know why? Because I actually read their instructions and followed the steps I'm required to follow in order to protect myself. The only people who bear the cost of phishing are the people who refuse to follow PayPal's protection rules. That you can't tell why they're the only ones you hear from is honestly pretty naïve.
  • I haven't heard of any sting operations for hitting the phishers... Considering the anonymous and random nature of the phishing scams and ease with which you can attract a phishing email, you could send an email from a newly created email account back to the phisher without them realizing this wasn't one of the addresses they phished, and could arrange for a carefully monitored and traceable transaction to take place, to track down the phisher. ("follow the money" principle) Why don't we see more of this
    • The first time someone tried to phish me on paypal via email, I notified the FBI and explained how easy it would be to sting them.
      • And it's very likely they smiled through the phone, nodded, agreed with you, and then filed your report in the circular bin.
        • Based, of course, on your deep familiarity with FBI procedures, which is why you correctly pointed out that the FBI isn't even the right bureau for this. Announcing your own guesses as probable outcomes just makes you look dense. Learn from this.
    • I haven't heard of any sting operations for hitting the phishers...

      Then you're apparently not listening [google.com]. Why is it that stupid people think that just because they haven't heard about something means it isn't going on? You haven't heard about the new fashions in Milan. Does that mean fashion doesn't exist either? Or, Milan?
    • One of the things I do sometimes when I get these "enter your credit card for verification" phishers, I deliberately go to their "paypal" site, then enter as much bogus info as I can: "First Name: Yougotta." Last Name: Beshittinme", and so on and so on. CC #s are all 0, of course. I figure if they went to the trouble to try to piss me off, I should go to as much trouble to amuse myself with their failures.

  • by Buran (150348) on Saturday July 08, 2006 @12:49PM (#15683565)
    What I find funny about this is that it's spoofs supposedly sent by a company notoriously hard to contact by phone. Anyone who has ever tried to contact Paypal about anything would know this. (Of course, the average user doesn't, which is probably what they count on).
    • Maybe they're counting on you thinking it's legit after you can't check it against the phone number on the website.
      • I got one of these and did some Google searching on some of the phrases used in the e-mail. After I got no hits, I searched for the phone number. No hits. So I searched Google for "Paypal Phone Number". The first hit is to a faq [paypal.com] explaining to go to the Help Center. Clicking there, you find a link which takes you to their phone number, which happened to be in a different area code than the number I was sent via the phishing e-mail.

        So it actually isn't all that hard to get a phone number for Paypal. For
    • What I find funny about this is that it's spoofs supposedly sent by a company notoriously hard to contact by phone. Anyone who has ever tried to contact Paypal about anything would know this. (Of course, the average user doesn't, which is probably what they count on).

      It is trivially easy to contact PayPal by phone. I had a harder time reaching Sony than I did PayPal.

      The first google hit for phone number site:paypal.com leads to a help page with a link. That link points to a second help page with the phone
      • If you are going to call me dumb for trusting the hundreds of complaints I've seen online that Paypal makes its contact information is hard to find, then you are a fucking asshole. It's so easy to slam other people, isn't it, when you're hiding behind that anonymous user name? You wouldn't call me stupid if you actually knew me, unless trusting other people is stupid now.

        Things change, and apparently this is one of them, but the fact that people on the Internet can be assholes when completely uncalled for h
        • If you are going to call me dumb for trusting the hundreds of complaints I've seen online that Paypal makes its contact information is hard to find, then you are a fucking asshole.

          No, I'm calling you dumb for announcing something you don't know as fact. There's a pretty big difference.

          It's so easy to slam other people, isn't it

          Yes. Like, one could call someone a fucking asshole for pointing out their stupidity. The difference between you doing it and my doing it is that I am pointing out you spreading di
        • Face it, you got p0wned. That's what you get for repeating something you heard on the internet as a fact. Resorting to profanity only proves he was right about you.
    • What I find funny about this is that it's spoofs supposedly sent by a company notoriously hard to contact by phone. Anyone who has ever tried to contact Paypal about anything would know this. (Of course, the average user doesn't, which is probably what they count on).

      But my first thought was how easy this would be to implement because of it being common for credit card companies to ask for CC numbers, and in fact just today I called my gas company because I didn't get/can't find this month's bill, and they
  • Paypal is just one of many. Do you really need the hassle if they're being targeted?

    Perhaps losing customers might encourage companies to start signing official emails.

     
    • Perhaps losing customers might encourage companies to start signing official emails.

      AFAIK PayPal say they will never send you an email, so I'm not sure how signing the non-existant emails is going to help. Do you really think the average victim of a phishing scam is going to check the signature?
      • Then we may get email clients which automatically check the signatures and say yup, this is a real valid email. It's entirely possible, perfectly automatable and I think quite a reasonable expectation of email software.

         
    • Would it make a difference, really? I don't think Paypal sends any official emails anymore, and I don't think the average user knows how to check signatures. I agree, companies should sign official emails, but unless you've got a suggestion of someone who does, I don't see the harm in sticking with PayPal.
  • "Latest" attack? (Score:5, Informative)

    by Beryllium Sphere(tm) (193358) on Saturday July 08, 2006 @12:51PM (#15683576) Homepage Journal
    This goes back to decades before the Internet.

    [ring, ring]Hello? Hello, is this $TRUSTINGSENIORCITIZEN? I have wonderful news! Congratulations, you have just won a diamond ring in our marketing lottery! There are some shipping and insurance fees, so if you'll just give me your credit card number...".

    Law enforcement and consumer groups said over and over not to give out sensitive information unless you placed the call yourself, which is really the same advice as "don't click on the link" if you think about it.
    • Law enforcement and consumer groups said over and over not to give out sensitive information unless you placed the call yourself

      Unfortunately many companies assume that people will ignore this advice anyway - I have been phoned before now by my cellphone provider who ask me to authenticate myself by giving them my passphrase and date of birth when I pick up the call. Of course I refuse since there's no way for me to authenticate them first - and that leaves them a bit stumped.
      • Re:"Latest" attack? (Score:2, Interesting)

        by beebware (149208)
        I've had my (now ex)-bank's anti-fraud system automatically call me. "This is an automated telephone call from Lloyds TSB for Mr xxxxxx. To confirm you are the card holder, please enter in your 16 digit card number." Needless to say, I hung up and called the number printed on the back of my card. I asked the person what it was about and then asked if they would have entered their number onto an automated system that randomly called them - nope(!)
      • Of course I refuse since there's no way for me to authenticate them first - and that leaves them a bit stumped.

        Generally the easiest way to handle this is as follows:

        "Yeah, I'd love to, but I don't give out personal data to incoming calls. If you'll give me your extension, I will happily call the 1-800 number on my card and ask to be transferred back to you, at which point I will know you really are an officer of the bank and give the information requested. Thanks for understanding."

        Bank officers understa
  • Hw long before eBay (who own paypal) strt a rumur that Google Checkout is behind this?
  • Woah, timely! (Score:4, Interesting)

    by Kid Zero (4866) on Saturday July 08, 2006 @01:59PM (#15683852) Homepage Journal
    Just got mine in the email this morning.

    (530) 204-6800 is a land line based in Davis, CA
    The registered service provider is 01 Communications**.
    Detailed listing information is not available.

  • by fprintf (82740) on Saturday July 08, 2006 @02:34PM (#15684003) Journal
    I got one yesterday I must say it sounded really compelling. I checked the headers and my initial newbie glance was that none of the URLs were immediately noticeable as faked. Upon second glance I could see some warning messages about mismatching IP addresses.

    Regardless of the technicalities, because it didn't have the usual telltale signs it really made me wonder. I then checked into my account the usual way, noticed nothing was wrong and then forwarded the email to spoof@paypal.com, receiving a reply this morning that it was indeed a phishing attempt.

    The thing is, on this site we always talk about how clueless people are, and I have participated myself on occasion. But after talking with my wife and in-laws yesterday I realize how *easy* it is to dupe 95% of the computer using population using these tactics. These are people that are educated, smart and generally not clueless in life... but when it comes to computers they are. I had to explain to my sister-in-law why my brother-in-law was receiving Cialis/Viagra emails shortly after posting their clean (well, it was) email address on petfinder.com. My point is, it may seem like there is a low percentage of willing responders to a phone phishing attempt, but I can say from my observation that this new technique should be more successful than ever!

    I just wonder isn't it really easy to trace phone numbers?
  • Wait, it asks you to call a long distance number? Any self-respecting company now days has an 800 number for you to call. Paypal HAS an 800 number printed on their webpage somewhere, I don't understand how people can actually fall for this. Anyone with half a brain would go "A long distance number? what kind of BS is this?"

    Even in today's day-and-age of Free Long Distance service via VOIP and Wireless carriers, 800 numbers are still quite popular, even small businesses that do business over the interne
    • Any self-respecting company now days has an 800 number for you to call. Paypal HAS an 800 number printed on their webpage somewhere

      No, they don't. PayPal's customer service number is in area code 402 [paypal.com]. Please don't make statements without verifying them first.

      Anyone with half a brain would go "A long distance number? what kind of BS is this?"

      I guess that means you have half a brain, then.
  • Catch 22? (Score:2, Interesting)

    by wbean (222522)
    The other day I got an atuomated call from a credit card company asking me to call an 800 number to review account details. When I called I was in the voice-mail system that sounded like the company but without any explanation of what I was to do. When I finally managed to get to an operator she wouldn't discuss the matter with me without the last four digits of my social security number, and I wouldn't give her those. So there we were, she didn't know who I was and I didn't know who she was. I got thro
  • Sample (Score:4, Informative)

    by Faux_Pseudo (141152) <Faux.Pseudo@gmailREDHAT.com minus distro> on Saturday July 08, 2006 @08:33PM (#15685174) Homepage
    I got one of these. Here is a copy of it:
                                                                                  PayPal
    Account Verification
    Dear $email_addres
    You have received this email because we have strong reason to belive that your
    PayPal account had been recently compromised. In order to prevent any fraudulent
    activity from occurring we are required to open an investigation into this matter.

    If your Credit/Debit Card on file is not updated within the next 48 hours, then will
    assume this account is fraudulent and will be suspended. We apologise for this
    inconvenience, but the purpose of this verification is to ensure that your PayPal
    account has not fraudulently used and to combat fraud attempts.

    To speed up the process, you are required to call us ($phone_number) to verify your
    PayPal account.

    We apologise in advance for any inconvenience this may cause you and we would like
    to thank you for cooperation as we review this matter.

    Regards,
    PayPal Account Verification.
    Copyright (c) 1999-2006 PayPal. All rights reserved.
    --
    Please do not reply to this e-mail. Mail sent to this address cannot be answered.

  • If it's paypal, ebay, or hell any company that you "supposedly" get an e-mail from with a phone number to call. Don't call it. Go to the company's OFFICIAL site (actually type in the URL, no links), get that phone number and call it if you're not sure. That way you know its valid. Most customer service reps will completely understand about phishing so you shouldn't get made fun of, criticized, or anything. The few times I checked, the service reps were very understanding simply said something along the

The sooner you fall behind, the more time you have to catch up.

Working...