This appeared in my email this morning as I scanned the inbox on my iPhone for whatever came in overnight.  

Now, being an IT professional with a number of network security certifications the chances that I would actually fall for this are essentially nonexistent . . .  yet I will admit that my initial gut reaction when I saw the message was something like, “Oh crap – how did this happen.”

In the amount of time it took for a few of my pre-caffeinated neural synapses to wake up I actually wondered why PayPal would have closed my account.  In a post French-roast state this might have been milliseconds – but as I had not made it down to the kitchen to visit Mr. Keurig yet it might actually have occupied my mind for several entire seconds.

And so I understand why people fall for emails that, to me, are obviously phishing scams.  I know that PayPal would never send out such a message with a blind link requesting that I reveal my credentials.  I know that PayPal would never just “close my account” because of suspicious activity.  I know that credit card providers don’t share information about unusual charges on my account with merchants like PayPal.  I also know that legitimate emails from a company like PayPal would not be replete with multiple phrases written by someone who could obviously benefit from an extensive remedial course in sentence construction.

There are plenty of other clues that email messages like this are an invitation to create serious havoc in your life.  So as a public service I will use this as an opportunity to remind all those who happen by of a few basic rules to live by when messages like this manage to sneak past your junk-mail filter.

  1. Never follow a link in an unsolicited email to a page where you will be asked for ANY sensitive information including user names and passwords.
  2. Never follow a link in an unsolicited email that seems out of context for the sender.
  3. Remember that legitimate financial institutions and vendors will NEVER send out a message like this.  If you suspect that such a message might actually be legitimate, close the email, open your browser, and go to the site yourself like you normally would.  NEVER USE THE EMBEDDED LINK IN THE EMAIL.

And finally, a note about passwords.  I know it’s a pain in the rubber parts, but please do yourself a favor and develop good password habits.  The following rules apply to any account you have that you don’t want some Ukrainian wiz-kid accessing.  This obviously includes things like online banking accounts, merchants that might store your credit-card information, email accounts . . .  essentially any account that you care about:

  • Use a unique password for each account.  NEVER use a password for your online banking account or an account like PayPal for ANY OTHER PURPOSE.
  • Don’t use trivial passwords like 12345 or (God forbid) “Password”
  • Don’t use common words, your spouses name, your birthday, or the name of your pet.
  • Do use combinations of different character types.  Mix uppercase, lowercase, numeric, and symbols.  More and more sites are actually requiring this now.
  • The longer the password the better.  Eight characters containing a mix of upper, lower, numeric, and symbols is a bare minimum.

Periodically check your account names with sites that track known breached accounts.  This one is pretty good:

Oh yes . . .

Never start responding to emails before your first cup of coffee, or after your second glass of wine.