14 August 2013

Fake PayPal order confirmations

Subscribers should be aware of long-running phishing scams targeting customers of secure payment services, such as PayPal.

Payment services are obvious targets for scammers, and phishing is a relatively simple but effective method of reaching potential victims.

Phishing emails can be quickly rewritten to suit events, target a particular organisation’s customers, or changing circumstances, and sent in bulk (Spam) to thousands (or hundreds of thousands) of email addresses. It only takes a tiny percentage of people to fall for the attack to make it worthwhile.

Examples of phishing messages targeting payment services, such as fake PayPal payment notifications, are common, and are regularly revised, adapted and recirculated. They play on your fear of being scammed, and often mimic official security information from the payment vendor.

In the example provided below, the message poses as an order confirmation for a payment to the Skype communications service.

You sent a payment of 138.00 AUD to Skype
To see all the transaction details, log in to your PayPal account.
It may take a few moments for this transaction to appear in your account.
Merchant Skype
Instructions to merchant
You haven't entered any instructions.
Shipping address – Unconfirmed
Australia – Melbourne
Postage details
The seller hasn.t provided any postage details yet.
Description Unit price Qty Amount
3 month subscription 138.00 AUD 1 138.00 AUD
Subtotal 138.00 AUD
Total 138.00 AUD
Payment 138.00 AUD
Payment sent to Skype.

Issues with this transaction?
If you haven't authorized this charge, follow this link now and get a full refund.

This example featured a fake link purporting to offer a full refund if the transaction was unauthorised. If you clicked on the link, you would be taken to a fake website and asked to enter your PayPal credentials, which are then collected by the scammer.

Other examples of this kind of phishing email may include additional information designed to create the impression they are authentic, such as your geographical location or company colours and logos.

Stolen credentials are commonly used for online purchases, transferring money to the scammer’s account, or are simply on-sold to others.

Growth of phishing

Phishing continues to be a problem because it continues to be effective. Scams such as this often play on our natural curiosity and suspicion. The ‘human factor’ also means that an attack can bypass even the best security software.

In June, security vendor Kaspersky Lab reported that 37.3 million internet users had been hit by phishing attacks in the 12 months previous, an increase of 87 percent over the previous year.

Attacks are also getting more creative and more targeted. Some of the biggest security breaches have begun with a carefully crafted phishing attack.

Avoid phishing emails

Always be suspicious of unsolicited emails.

Do not click links or open attachments unless you are confident about the sender and information the email contains. The best advice is to simply delete the email.

If you are uncertain about the origin of any email you can always cross check the information by going independently to the company’s website or by calling them directly. For PayPal, you can log on to their web site or application to check your transaction history.

Legitimate services will not make an offer of “a full refund” if the transaction is genuine.

A legitimate email from PayPal will always reference your real name or business name, and will never ask you for sensitive information such as password, bank account or credit card details. If in doubt, forward the email in question to PayPal at phishing [at] paypal.com. They will evaluate it and let you know whether it is fraudulent.

More information

PayPal goes to great lengths to manage phishing and other scams. It provides lots of good advice on its website, including this advice on phishing where you can see examples of phishing emails and take PayPal’s ‘Fight Phishing Challenge’.

Kaspersky Lab warns of phishing increase.

Read Stay Smart Online’s advice about avoiding phishing and advice about spam

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.


Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.


This information has been prepared by Enex TestLab for the Department of Broadband, Communications and the Digital Economy ('the Department'). It was accurate and up to date at the time of publishing.

This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.

The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.

Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.

Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.


Facebook: www.facebook.com/staysmartonline
Email: staysmartonline [at] dbcde.gov.au
Web:  www.staysmartonline.gov.au
You are receiving this message at the address [Email].
Update your profile preferences
If you no longer wish to receive this information, you can unsubscribe.

© 2013 Australian Government. All rights reserved

Connect with Stay Smart Online