19 March 2001

Picking the wrong target for PayPal fraud

I just had someone attempt to defraud me of a few hundred dollars.

He was obviously watching eBay, and noticed I’d just won an auction. So he spammed me an e-mail containing a fake PayPal login page as HTML, with the <FORM> element changed to grab a copy of my username and password via a CGI script.

Presumably at that point he’d wire himself $600 or so, which is the maximum possible with my PayPal account since I haven’t verified. He’d then disappear before the charge appeared on my credit card.

I saw through it immediately, but I can’t help wondering how many average AOL users would be fooled into thinking that it’s a new feature to save you time when the seller requests money. If you fell for it and had verified at PayPal, you could concievably be hit for a few thousand dollars in no time at all.

I’ve reported the incident to PayPal’s security staff. I also phoned the ISP and had them yank the web account, and filed a complete copy of the e-mail in case law enforcement want to talk to me. I plan to write up the incident for comp.risks. If anyone has any other suggestions for who I should talk to, let me know.

Oh yeah, and a message for anyone else out there looking for marks to defraud: I am not the person you want to target.

© mathew 2017