John Walker's Electronic House

I had intended to write all about my investigations into the Mystery of Brown’s Folly today. But that underground-lair-involving excitement will have to wait.

Today I nearly fell, and when I say “nearly” I mean it was so close there were squeaky noises, for a very clever email scam.

I have developed a high-minded nonchalance to email scams, believing myself fairly adept at spotting the things from a long way off, and tutting disapprovingly at people who send money to the daughters of Nigerian dignitaries. Now I feel stupid.

I’ve caught a PayPal scam before, but it was fairly poor. Today’s was terrifyingly good. Arriving in the HTML format of a PayPal email, with the correct layout, and the correct address, it told me that someone was attempting to access my account and that until I verified it, it would be frozen. I think on any other day I’d stop and wonder, but yesterday I bought a t-shirt from a US site via PayPal, and forgot to include international shipping. I emailed the company to say so, and they said that they could add the cost on. So I assumed it must have been something to do with this – reasonably, I would think.

So I follow the link, and it takes me to the PayPal log-in page – familiar and accurate.

So having logged in, I get to this page.

I’m casually filling in the details – PayPal already knows my bank account details, so this doesn’t set off the obvious alarm bells you’d expect. Until I see “PIN Number: (For Bank Verification)”.

And I freeze.

Because nowhere asks for your PIN number (tautological a phrase as it is).

I was *that* close to giving all my bank account details to someone.

Compare how convincing the fake site is, with a similar page from the genuine PayPal. Of course, a couple of major clues which prove me to be the the Mr Thicky I truly am, are the random URL in the address bar that has now appeared, and the fact that I had to dig out IE6 to open the page properly, as it wouldn’t work in Firefox (which all PayPal pages do). It was a combination of knowing that there was the situation with the US purchase (which I now realise was saying that they needed *me* to make another payment), and that some pages occasionally don’t work in Firefox due to poor coding, that I didn’t twig.

So if all this serves any purpose, it’s a handy warning to others that the scam is about (similar versions for Barclay’s Bank around). Details about this can be found here and here.

But more importantly, it proves that master criminals will always go that extra step too far, and get themselves caught by amateur, afternoon television detectives. If they hadn’t asked for my PIN (which would surely be useless to them, unless they were planning on cloning the card itself), I’d have given them my bank account details, and hence sent them on a shopping spree across the known internet. The idiots.

But instead, they now look meek, heads hung low, arms handcuffed behind their back, being marched off by a friendly if somewhat officious police officer, who says, “Thank you Mr Walker. I don’t know what we’d do without you. PIN number indeed! Who’d-a thought it?” To which I reply, “It’s just ‘PIN’ – the ‘N’ stands for ‘Number'”. And then the policeman rolls his eyes and says, “Mr Walker… oh YOU!”, and we all laugh, freeze, and white names start pouring upwards through our reality, terrifying us, all unable to move and escape their gradual ascent across our visage.