OMG! (My daughter tells me this means, oh my gosh). I just did a purchase online with my credit card and I received this notice in my email. What should I do?
It starts by you following the instructions in the message. The message is using social engineering to your disadvantage.
Social engineering is the application of sociological principles to specific social problems. What?
In this scenario, it is a method of intrusion used by nefarious people (i.e hackers/thieves) that relies heavily on human interaction. You are being tricked into participating in the scam by linking your recent activity to a potential personal risk. Why wouldn’t you follow the instructions, this is a perceived threat, right?
If you took the bait and accessed the link, a plethora of technical “things” have provided the hacker with what they’re looking for – a way to gain access to your information. Your click told your computer to download software that recorded and sent your keystrokes to them. If you followed the instructions, you most likely did give them a real password to a real account. Ouch!
How is a person suppose to know?
Your first step, is to shut down your strong evolutionary response motivation to take flight or fight in times of danger.
Second step, now that the adrenaline affect is minimized, look but don’t touch (i.e. view but don’t mouse click) on some of the fields of information provided in the message. If you are thinking, while I’m doing this I’m being robbed blind, go back to step one and burn off some more of your threat response.
Look at the email for information that enables you to establish non-repudiation. Hugh, there you go with the technical jargon and lose the reader!
In this example non-repudiation means your ability to ensure that the party sending the communication is who they say they are. Did PayPal send the message? In this scenario, I didn’t use PayPal to make the purchase, so why would they be communicating with me after my purchase? Hmm … I don’t even have a PayPal account, so why would they send me a notice?
Look at the email. It sure looks real. It has all kinds of details you would find in an official email. No doubt you still want to follow the instructions and click on that link.
If you look at the senders email address email@example.com, it looks legit. I suspect on an adrenaline fuelled response the word PayPal can stand out and appear correct. On your sober second thought (e.g. you know that reason we Canadians have a parliamentary senate), do you recall ever seeing an email address domain (i.e. the part of the email after the @ symbol) www-paypal. You no doubt have seen the www in a web URL (i.e. the site names you use on your browser) but have you actually seen it in an email address.
Especially at the moment your palms are sweating, your heart is racing and you are visioning your child’s inheritance disappearing from your account and being funneled overseas to some criminal organization funding terrorist activities. Ok, I accept maybe some of the details from the non-fiction novels I’m reading may be bleeding into my perception of reality and colouring it just a bit. I am in a flight or fight mode.
A simple check for the average users is to lookup PayPal website in your browser. Look at the URL displayed. www.paypal.com. Notice any differences between what was in the sender’s email domain? If you suggested “-” instead of “.” you would be right. In picking up that difference your non-repudiation detection should be alarming.
If you understand how to translate the domain name into the IP address of the email sender’s exchange you would discover the IP originates from Amsterdam. Not a big flag in itself but does cause you to wonder did PayPal move their corporate office.
Go back to PayPal’s website and look for contact information. Look for an email address provided at the site. There is no guarantee the web site hasn’t been compromised. Just silence that inner voice that has been listening to the news and reading too many non-fiction spy novels to realize the sky isn’t falling.
You could email PayPal directly from this address and ask for the record.
If you are a mover and shaker in the Internet Technology domain, this tour of an email scam can be riddled with technical bullet holes that start with the line, “What about this…”
Should you be afraid? No, I think your first reaction should be heightened awareness. When your spidey sense starts tingling from a perceived threat, stop your reaction and realize Spiderman is a comic book character and you are not.
Social engineering is a gotcha that uses evolution to trigger a first response.