Today the unexpected happened; I was the victim of a PayPal phishing attack, even so I claim to be one hell of a smart cookie with web security. And before you ask, no, I didn’t click on a link in an email. I’m not THAT stupid. What I did instead is to type the URL into my browser by hand, and stupidly enough I never included the https:// bit. Call me slack, call me silly, but that’s what happened.
I then went to get some email address to pay one of my writers, and when I came back to the PayPal tab I was exposed to a tabnabbing attack. I never knew that something like this existed, and after I realized I got done I found the above article at Mashable. Scary, scary stuff this is.
The dangers of not using https:// before the domain
I realized soon enough that something was indeed phishy when I was suddenly facing a new PayPal page with the URL www.paypal-business.com or some similar sub domain. It had all the right looks, the right logos. I would have never realized that it was a phishing attempt except I clicked their security thingy in the broswer and was told it was from PayPal Singapore. What the…
PayPal is definitely NOT beaming their magic around the world from Singapore now do they?
By trying to use the login shortcut and leaving out the https:// bit before the domain name I somehow got misdirected to a phisher. Beats me how, but that’s what happened. To put a long story short I’m now experiencing limited account access. I can can see my account overview, but that’s about it. I did change my passwords and security questions right after the attempt. In fact, PayPal got wind of it somehow and prompted me to do this. I double-checked the URL before I went ahead and it seems I was dealing with the REAL PayPal on the second attempt. Lucky for me I’ve switched to sms login as an added security not so long ago.
I’d hate to think of what would have happened had i not had this extra security measure in place. Right now I can’t pay anyone money, I can’t make a bank transfer, nor can I request money at this stage. But having said this, I still have my money in the account. This made me realize how exposed we are when we rely on PayPal as the main merchant of choice.
Getting back to business as usual
To get my account fully functional I now need to verify it. Needless to say I’m not happy about this at all. I’m not even sure if there are alternatives to PayPal for Aussie service providers? The trouble is that most Internet marketers are so used to using PayPal that trying to get paid with another merchant has got to be a nightmare in itself, or is it?
I would certainly appreciate any insights from you if you think you can point me to a great alternative. I don’t mind paying monthly fees for a good merchant if it allows me to get paid via PayPal from clients around the world.
How to protect yourself from phishing attempts
There are some measure you can take to avoid this from happening to you:
- Never click on any hyperlinks from within an email. If your bank sends you an email, it is likely a phishing attempt. To find out for sure, open a new tab, type the full secure URL of your bank (including the https:// and see whether your account was really stolen, as was claimed in the email.
- Always use the secure login URL if you are trying to access sensitive accounts. Don’t follow suit with my bad example.
- Use secure password managers
- Never use your password twice online. Always generate complicated strings of letters, numbers and symbols.
- Keep your computer’s software up-to-date.
- Use a good anti virus/security suite to browse the Internet.
- Don’t believe a word in the Nigerian prince’s email when he offers you a cool million for helping him to unlock his heritage.
- Check website security seals if you suspect foul play.
- Stay alert when browsing the Internet.
Have you been a victim to a phisher before? Tell us more…