Hook, Line and Sucker

As rife as the Internet is with miscreant creeps trying their best to steal the identity of anyone who'll bite the bait of their e-mail phishing traps, you'd think they'd work harder to create schemes that aren't quite so transparent as the everyday average phishing spam.

And some do.

About This Column Sign Up for RSS Feed   Consummate Consumer Archive   How RSS Works   The Checkout Post consumer-issues reporter Annys Shin blogs about bargains, scams, recalls, credit -- and everything else that affects your wallet. • Congress Asks Bush to Help Seniors on 401(k) Withdrawals • Cribs Recalled after Child Is Poisoned by Lead Paint • Senator Asks Credit Card Companies to Comply with New Rules • The Checkout Archive Sign Up for RSS Feed • Articles by Shin Save & Share Tag This Article  Saving options 1. Save to description:  Headline (required)  Subheadline  Byline 2. Save to notes (255 character max):  Subheadline  Blurb  None 3. Tag This Article

But there isn't a day my spam filter isn't filthy with pesky e-mails that pretend to come from eBay, PayPal, Chase and other legitimate businesses warning that my account has been compromised, defrauded or whatever. From urgent warnings (verify your information or your account will be suspended within 24 hours!) to look-alike Web sites and logos, most phishing spams are a study in crude social engineering. They're designed to convince the naive, gullible or unthinking to do one thing -- click that link and give up a password or other confidential info.

Never mind that many of them involve companies with which you've never had an account. Most of them take a shotgun approach, scattering bogus e-mails everywhere and to everyone. They're counting on fooling only a few because it costs next to nothing to mass-blast these phony communiqués to millions of people -- and it takes only a handful of suckers to make it worth their while.

Most of us by now know these insipid scams are nothing more than fodder for the delete button. But every once in a while, a real gem of the genre sneaks past the spam filter and talks a good enough game to give even a twitchy trigger finger pause.

I recently received one like that. It was purportedly from PayPal, and that alone raised my suspicions. But this one was different. Instead of pretending to be another ho-hum warning about an account problem, it masqueraded as a receipt for a $410.55 credit card purchase of a "Microsoft Xbox 2360 Premium Edition System" paid through PayPal. The e-mail subject line read: "Receipt of your payment to gamerslair," and inside it showed the seller's e-mail as sales@gamerslair.com (the e-mail of an actual company in Canada).

Despite my doubts, there was just enough of a hint that maybe a crook was using my credit card that I looked it over. Inside, it didn't start with the usual "Dear PayPal User" -- a reliable clue that an e-mail is definitely not from PayPal and should be sent directly to Spam Hell. This one greeted me by name. Under Shipping Information, it even listed some shnook in Concord, N.C., as the guy getting the Xbox 360 I was supposedly paying for.

But just as my blood pressure began to rise, I spotted a flaw. The message at the bottom of the e-mail read as if it came from some parallel consumer universe where -- you'll love this! -- refunds are actually simple matters. "If you haven't authorized this charge," states the e-mail, "click the link below to cancel the payment and get a full refund."

So, first, I logged on to my PayPal account (keying in http://www.paypal.com/ myself and not clicking on a link in the suspicious e-mail) and checked recent transactions. Nothing wrong.

Next, I forwarded the e-mail to spoof@paypal.com -- PayPal's security depository for dangerous junk like this.

Then, I called PayPal's security department, and a nice young man reassured me that this was, in fact, a phishing scheme and that he was looking at my account and it showed no such charge. He added that he received a report like it the day before.

Finally, I called my credit card company's security department and confirmed that nothing resembling trouble appeared on my account.