Lissa Mantell thought the second e-mail she received from PayPal smelled "quite fishy." Earlier the same day, PayPal, the online payment service, had e-mailed her about changes in its user agreement and asked her to log on to her account at its secure Web site and review the new terms.
Her gut reaction was that the follow-up request was someone "trying to capitalize" on the earlier message PayPal sent to its 23.3 million registered members. "This e-mail is requesting all of my credit card information -- again!" says Mantell, a nonprofit worker from Silver Spring, who like all PayPal members had to provide banking and credit card information when she joined. "Isn't that the biggest no-no in e-mail hoaxes?"
Next to buying something online and never receiving it (Internet auctions ranked No. 1 in the Federal Trade Commission's top 10 consumer complaints for 2002), one of the biggest Internet scams is con artists impersonating legitimate Internet businesses and asking members to "verify your information." It's not a new ruse: Phony telemarketers have been snatching people's credit card and bank numbers that way for years over the phone.
But take note: This e-mail was creatively convincing. At the top was the distinctive blue-lettered PayPal logo. The message "from PayPal Services" cautioned that Mantell's account "has been flagged" for fraud investigation. There was a hot link to go directly to a special PayPal Web page where she could fill in the blanks -- name, address, credit card number -- necessary to reinstate her account status.
So sophisticated was this bogus e-mail that clicking the hot link momentarily connected to PayPal's home page before switching to a counterfeit verification page.
"These types of things are everywhere, and it can be very easy to get tripped up!" says Mantell.
Kevin Pursglove, spokesman for PayPal and eBay, the biggest online auction company (61.7 million members), which bought out PayPal last summer, says "phantom e-mails" like these appeared about a year ago and have persisted in contacting members of both PayPal and eBay to trick users into providing credit card and banking data.
While Pursglove doesn't disclose numbers of consumers who get suckered, he says, "we have received communications from users who describe how they fell victim to such a scam."
But, he adds, "it seems to us that most Internet users are becoming far more conscious of these attempts to defraud them. Our guess is that most eBay and PayPal users are simply ignoring them."
Meanwhile, PayPal and eBay are trying to educate users about online fraud schemes. Both tell their members they never will ask for personally identifiable information via e-mail. Both stopped using Web site hot links in messages to members, asking them instead to log on themselves.
"That way we can be sure they are going to the eBay or PayPal page rather than a spoof page," says Pursglove.
But unlike the earliest spoof sites that stole outdated logos and contained misspelled words, scammers now are more sophisticated, he says.
At the spoof verification page linked to Mantell's e-mail, the Web address read "yPal.com," followed by a long string of characters, instead of "PayPal.com."
To a casual observers, it looks like the front end of the URL got pushed out of sight.
But smart consumers opening that page's Properties window discovered that it had no security certificate. PayPal does.
"But they are unfortunately getting much better at it," says Pursglove. "They are becoming more and more genuine looking."
Got a consumer complaint? Question? E-mail details to email@example.com or write Don Oldenburg, The Washington Post, 1150 15th St. NW, Washington, D.C. 20071.