Hook, Line and Sucker

But with my bases covered, I was still intrigued by this phishing ploy where the bad guys called me by name. Searching online, I found that FraudWatch International, a site in Britain that tracks phishing attacks, issued an alert about this specific e-mail on March 11. And Millersmiles.co.uk, another online British anti-phishing service, warned that this phishing attack's "dispute transaction" link connects to a PayPal-like Web site that asks for name, birth date, mother's maiden name, driver's license number and state, and credit card info -- just about anything your average criminal needs for identity theft.

Using Whois.net, a domain-based online research service, I tracked the origin of the spam to Dolgoprudny, Russia, a satellite city southeast of Moscow. The personalized message channeled through a network in Amsterdam before arriving in my inbox here.

"Fraudsters are getting more sophisticated in the types of e-mails they are sending," says PayPal spokeswoman Sara Bettencourt. "As customers have become more aware of phishing and spoof, phishing e-mails have become more targeted."

Lois Greisman, associate director of Division of Marketing Practices at the Federal Trade Commission's Bureau of Consumer Protection, calls it "the Cadillac of phishing scams" and says it's a relatively new technique. "Is it unique? No. Have they stepped it up? You bet," she says. "Every step they've taken adds greater fidelity and is more expensive to do."

Greisman recalls a couple years ago when phishing was a new phenomenon and the FTC was warning people to beware of e-mails that appear to come from legitimate companies -- but typically contain misspelled words and bad grammar. "Now you're seeing it personalized," she says. "Scammers are good. They like to stay current."

Dave Jevans says such narrowly targeted fraud, called "spearphishing," has previously focused more on employees from particular corporations or on faculty members at universities -- but not on specific individuals. He speculates that the crooks probably "scraped" random names accompanied by e-mail addresses somewhere online or hacked a database, then sent out tens of thousands of the tailored PayPal spams figuring to hit a decent percentage of actual PayPal customers.

"With 100 million people having PayPal accounts, the odds of success are high," says Jevans, chairman of the Anti-Phishing Working Group, a coalition of corporate and law enforcement groups that tracks identity theft and other online crimes. "But I have not seen many 'named' phishing scams. The use of your full name is a troublesome new development."

As one of the top corporate targets of phishing fraud, PayPal invests plenty in spoof education and anti-fraud measures, and its customers are increasingly reporting such attacks, Bettencourt says. "Customers on the Internet are receiving e-mails like this from banks that they don't belong to, or for purchases they haven't made. Customers should keep in mind PayPal (and any legitimate financial service) will not ask you to follow a link to enter personal, financial or account information. You should always open a new Web browser or call the company directly to confirm or dispute a transaction."

Bettencourt has other pointers for dealing with suspicious e-mails:

· If you receive a suspicious PayPal e-mail asking for this type of information, "forward the e-mail to spoof@paypal.com , and our trust and safety team will let you know if it is in fact an e-mail from us."

· Always log in to your online accounts by opening a new Web browser window (such as Internet Explorer or Netscape) and typing in the URL. Do not follow e-mail links to enter personal or financial information.

· Check your accounts frequently to ensure security, says Bettencourt. "Change your online passwords regularly."

· Never download attachments from anyone you don't know, says Bettencourt, who recommends that eBay and PayPal customers use the eBay Toolbar (available at eBay's security pages), which warns when a user is on a potentially fraudulent Web site. It also enables users to report a spoof Web site. "Once a site has been verified by PayPal to be fraudulent, PayPal will work to shut the site down," she says. "Additionally, that information will automatically be distributed to all other eBay toolbar users, warning them about the spoof Web site."

But the FTC's Greisman says the simplest advice about dealing with phishing scams is probably the best: "When in doubt, delete!"

Got questions or comments? A consumer complaint? A helpful tip? E-mail details toconsumer@washpost.comor write to Don Oldenburg, The Washington Post, 1150 15th St. NW, Washington, D.C. 20071. Because of the volume of mail, personal replies are not always possible.