A very good PayPal spoof email was reported recently. Fortunately, the recipient immediately detected it, but would you? Do you know what to look for? Do you know what to do - what not to do? One of the big problems with Internet email today is there is no one consistently reliable authentication procedure available for filtering out “bad” email. Which means anyone can send an email message and make it look as if it came from any email address they wish. When this email is received, there is no way for the recipient to verify whom the sender is, and this sets up unsuspecting email recipients to be exploited by ill intentioned people. Most experienced Internet users are aware and watchful for spoof or "phishing" email messages but even if you feel your answers would be 'Yes' to the questions posed above it never hurts to review, so read on.

Phishing or Spoof Email
"Phishing" or “spoof” email messages are designed to fool the recipient into thinking that they have come from a legitimate source, usually, a large company, with the goal of getting the recipient to enter sensitive personal information: bank account numbers, credit card information, mother's maiden name, etc. Here is an example a what phishing email might look like:

Date: 26 Feb 2007 07:14:28 -0000
To: Your Email Address
Subject: Your Citi Cardmember Verification
Reply-To: Citibank email address

What you are presented with is a fancy email message, complete with Citibank graphics and logos. In fact, the email message may even be constructed so the graphics actually come directly from the official Citibank web site. (The following message was taken verbatim from an actual “spoof” email.)

We recently reviewed your account and suspect that your CitiBank Account may have been accessed by an unauthorized third party. Protecting the security of your account and of the CitiBank Network is out primary concern. Therefore, as a preventative measure we have temporarily limited access to sensitive CitiBank Account Features.

Click The link below in order to regain access to your Citi Cardmembers Account, simply:

Update Your Account
Please fill in the required informations. Your personal information are protected by special encryption (128-bit) which fully encrypts and protects all of your personal data. We absolutely will not share your information with any third party!. This is required for us to continue to offer you a safe and risk free environment.

NOTE : Please ignore this message if you're not Debit Citi Cardmembers.

Sincerely,

Account Online Management

HAVE QUESTIONS ABOUT YOUR ACCOUNT?
We cannot respond to individual messages through this email address because we are unable to verify the sender's identity. You can, however, correspond with us electronically through our secure messaging feature.

Please sign-on at (here the scam email might contain a legitimate link to the Citibank web site) and choose Contact Us from the Help/Contact Us menu. Then select the Send New Message link under Write to Customer Care. You can also call the Customer Service phone number on the back of your card.

WE ARE COMMITTED TO YOUR PRIVACY
(here you might see a legitimate link to the Citibank site's privacy policy) There are simple steps you can take to protect yourself from fraud while online, such as never sending personal or financial information by email. (We'll never ask for it.) For more information, please review the recommendations of the U.S. Government and others at the following sites: (links here may also be completely legitimate links to sites containing security warnings and tips)

© 2004 Citibank
All rights reserved.
Citi, Citibank and Citi with Arc Design are registered service marks of Citicorp.
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

Even though the above email contains some spelling errors (a sign an email may not be legitimate) it is a good example of a “phishing” email. Why? Because it contains legitimate links that would put some people at ease and thus fool the receiver into thinking it is a legitimate email, even with the spelling errors.

Don't be Fooled!
Most email programs have a way to display the detailed email 'headers' so you can see them. The headers of email show the path it took from its source, to you. Looking closer at the email example above, here was the actual header information:

From root@mail.bos55.com Mon 26 Feb 2007 11:54:55 2007
Return-Path: root@mail.bos55.com
Received: (qmail 24786 invoked from network); Mon 26 Feb 2007 11:54:54 -0000
Received: from mail.bos55.com (65.75.177.150)
by mail.rubylane.com with SMTP; Mon 26 Feb 2007 11:54:54 -0000
Received: (qmail 32372 invoked by uid 398); 26 Feb 2007 07:14:28 -0000
Date: Mon 26 Feb 2007 07:14:28 -0000
Message-ID: 20071025071428.32371.qmail@mail.bos55.com
To: (Your Email Address)
Subject: Your Citi Cardmember Verification
From: Citi Cards (Citibank email addr)
Reply-To: (Citibank email address)

Keep in mind, a real return email address may be inserted into the 'From' field to fool the reader into thinking the email is legitimate. A scammer isn't looking to receive an email reply from you. They don't want to correspond. All they want is for you to click on the link in the email, which will take you to their Web site (not Citibank's), where you will be instructed to enter your password and/or other important personal information.

The only single piece of information that cannot be forged in an email is the first IP address listed in the Received: headers. In this case, it's 65.75.177.150, or mail.bos55.com. PLEASE DON'T GO TO THIS WEB SITE! But as you can see, this is not a legitimate email message from Citibank. In fact, it's even possible for forged Received headers to be inserted, but not in the first Received: header. The spoof PayPal email we referenced in the introduction actually originated from a foreign website, not from the PayPal US site. The shop owner had checked the headers of the email and immediately noticed it was not legitimate.

The "Update Your Account" link that scammers like to include in an email may take you to a site that is made to look like a Citibank page, where you are instructed to “verify” your account information and are requested to enter sensitive information relating to your account. If you enter your account information you have now given over important sensitive information about yourself and your account to an illegitimate third party, who can use the information to perpetuate a fraud, such as extracting funds from your account, or calling Citibank, posing as you with the credentials to back up their identity, and gain access to your account.

Any time you are sent an email regarding a payment or a 'problem' in your PayPal account, do not click on a link in that email. Instead, go to the PayPal site either through a bookmark on your computer, or open a new browser window and type in the site's secure URL (https://www.paypal.com). Then log into your PayPal account as you normally would and check your account to see if there has been any unusual activity involving a payment or other issue noted in the spoof email. If there isn't or if you suspicious of the email, access the PayPal Security Center on the PayPal site and select the appropriate link and follow their instructions for reporting a possibly fraudulent email. The PayPal Security Center has a tremendous amount of security information including “fraud-fighting tips, tools, and technology.”

The federal government also has site OnGuardOnline.gov with information to help you “guard against Internet fraud, secure your computer, and protect your personal information”, which can be found at the following link: http://onguardonline.gov/index.html