At first, Betsy Bozdech thought the message was legitimate. The e-mail that seemingly originated from a PayPal Inc. "Paysecurity" mailbox said her account with the payment service provider was under review because of inactivity and asked her to confirm her e-mail address.
But a few things did not add up for Ms. Bozdech, the content editor for an online movie rental site in Los Gatos, Calif. The message had been sent to an account she rarely uses, and which she had never registered with PayPal. And the supposedly routine query asked her to verify her e-mail address, as well as the account's password, her credit card information, and the personal identification number of her automated teller machine card.
All of those things set off alarm bells, even though the message looked exactly like one from PayPal and contained a link to what looked like a PayPal site, right down to some realistic boiler-plate notices at the bottom.
"Once I saw what they wanted, I knew something was odd," she said. "I think anyone with all that information would have tried to use my credit card, and it could have been for a lot of money." Correctly guessing that the e-mail was a scam, Bozdech quickly called PayPal.
"We see this kind of thing every day," said Kevin Pursglove, a spokesman for the Mountain View, Calif., subsidiary of eBay Inc. "And it's not just an issue with us. It's happening to all of the top sites on the Internet."
75 People Are Tricked
Last month Bank of America Corp. customers received a similar message directing them to a bogus-but very realistic-looking- banking web page that tricked at least 75 people into revealing their personal financial data.
Betty Riess, a senior vice president for corporate affairs at B of A, said it has started an education campaign to remind customers never to disclose such details. "We are telling them that we will never ask them to verify personal data," she said.
Nonetheless, it is clear that e-mail has become yet another channel for con artists to reach potential victims. Wachovia Corp. has also been targeted in recent incidents, as have several Australian banks and a top Spanish bank. Online fraud has become so common that the Federal Deposit Insurance Corp. issued a newsletter this spring describing some of the more common types of scams and advising consumers how to avoid them.
Some banks, including Wells Fargo & Co., reacted to these incidents by adding notices to their online banking pages reminding customers that bank officials will never ask them to disclose personal information. J.P. Morgan Chase & Co. periodically sends e- mails to online banking customers with the same warning. Online banking and other forms of Internet-based payments are attracting more main-stream, less tech-oriented consumers. But the growing level of fraud is also starting to scare some people away, according to George Tubin, a senior analyst with the retail banking unit of the Needham, Mass., research firm TowerGroup. "When people hear about scams like these, it causes them to think twice."
According to his research, the top reason consumers are avoiding online banking is security. "It's definitely hindering adoption."
Online fraud is skyrocketing, said Tubin, who received one of the fake PayPal messages last month.
Last year the Internet Fraud Complaint Center referred almost 50,000 complaints to law enforcement agencies, almost three times more than it did the previous year. "Many of these spoofs are getting very sophisticated-they can look exactly like the original sites," Pursglove said.
PayPal and B of A say that, working with Internet service providers and law enforcement officials, they can typically shut down counterfeit sites within hours after they are notified.
But many times the mass messages sit in a mailbox for a day or two before somebody forwards them to the financial institution.
That provides enough of a window for some customers to be taken in.
Bozdech was sharp enough to spot the malicious message. "I know you're not supposed to give out information like that."
An Easy Scam
Unfortunately, not everyone is that savvy. Pursglove said PayPal cannot track how many of its customers are duped by scammers. A criminal can send an e-mail to 100,000 consumers or more, and if even a small percentage of them open the message, and if an even smaller group falls for it, that can still net several valuable credit card numbers or other critical data, he said. "If a person gets just five or six responses, that's not a bad day's work," he said. "They can do some significant damage with this information."