|
?:reviewBody
|
-
The claim that PayPal, the online payment app, needs users to resubmit their credit card and bank account information as part if routine security maintence has circulated online since at least 2002. For instance, the rumor has spread via emails that appear to be authored by the company itself — but, in reality, scammers are responsible for the messages. Snopes collected one such email in 2003: The email included a form for recipients to enter their email addresses, account passwords, bank account numbers and credit card numbers and expiration dates, and then to hit a Log In button. After that, the message said: Don’t be fooled — these phantom emails do not originate with either PayPal or eBay; they are the creation of thieves intent upon harvesting bank account and credit card numbers from the unwary. Although some elements of the form are genuine (a little blue PayPal symbol links to paypal.com, for example), information entered into the data boxes does not get sent to the online banking house; it is instead routed to an e-mail address in Russia. Earlier versions ran the con in a slightly different way: Official-looking e-mails informed users their accounts had been flagged for fraud investigation and provided a hot link to a special PayPal webpage where they could fill in the blanks — name, address, credit card number — supposedly necessary to reinstate their account status. Those earlier hot link manifestations would momentarily connect the about-to-be-defrauded to PayPal’s homepage before switching to a counterfeit verification page housed on an entirely different site. Both eBay and PayPal (eBay bought out PayPal in 2002, and then the two companies split in 2015) swear they never ask for personally identifiable information via e-mail, and both have stopped including website hot links in messages to members. Ergo, if you get an e-mail from one of these entities asking you for a credit card or banking account number, it’s not the real thing. To guard users against such scams, PayPal advises the following, as of September 2022: This form of theft is not new, even if the techniques now be used to accomplish it (CGI scripts and hot links) are. The same basic con has been used for a very long time and has flourished in numerous less techno-terrific ways — it’s all about getting potential victims to hand over their banking and credit information, an objective the con artist accomplishes by masquerading as a bona fide representative of a reputable and trusted organization that would have reason to ask for that information. In the non-cyber world the unwary have been duped into providing such sensitive financial details via fake IRS forms, which appeared to have been issued by the victims’ own banks. (The victims would fax the completed forms to the fraudster, thinking they were filing them with the IRS.) An even less technology-driven scam requires nothing more than a telephone and the local phone book: the defrauder skims the white pages for people who live near a particular bank and calls them, presenting himself as an employee of that financial institution who needs to confirm their account information. Because people tend to patronize the bank closest to where they live, the thief will encounter very few responses of, No, you’ve got the wrong Molly Brown — I don’t have an account there. We tend to accept the way people present themselves at face value, so only a handful of us think to question someone who greets us by name, identifies themselves as working at our bank and informs us there is something wrong with our bank accounts. The straightforward request that we read off the account numbers from our checks will all too often net the scammer the information they seek; only long afterwards (if at all) do we stop to wonder why, if they had our names and phone numbers, they didn’t have the details of our accounts at their fingertips, as well. Scams that trick the gullible into revealing private information by having them confirm details, presumably already in the possession of the one doing the asking, fall under the broad heading of social engineering, a fancy term for getting people to part with key pieces of information simply by talking to them. The wary consumer’s best defense to such maneuvers is a zipped lip (or, in the online world, an untapped keyboard). Protect yourself by volunteering nothing, even if you feel somewhat pressured by the one doing the inquiring. If someone on the telephone asks you to read off your checking account number for verification, ask the caller instead to recite it to you from their records. If you get an e-mail announcing something dire has befallen one of your online accounts and requiring you to reenter sensitive personal data to get things back on track, do not reply to it, and do not fill out any forms that accompany it or click through any hot links it provides. Instead, contact that service through its website and ask them about the email. The con artists are getting more sophisticated all the time, so do not be too quick to mistake the appearance of legitimacy with legitimacy itself. Just because an email looks like it comes from an entity you do business with doesn’t mean it’s genuine, and just because you’re being directed to a webpage that looks like that entity’s homepage doesn’t mean you’re not being sent somewhere else. Beware the wolf in sheep’s clothing lest you end up his dinner.
(en)
|
![[This page as RDF]](http://data.gesis.org/claimskg/static/rdf-icon.gif){kind=icon}