Since the start of March 2020 (or at least from the time COVID-19 was in full swing), your trusty blogger here at IPVanish has personally been hit by a barrage of PayPal scam emails. The problem here is that I haven’t had to deal with spam emails in years. After working in this space for so long, I’ve taken my privacy seriously for many years. I’ve been using a VPN, only sharing my email with trusted services, and I’ve never posted it online for public reading.
So, what gives? I’ve got a pretty good idea why this could be, but if you’re in the same boat and have no idea what’s happening — well, read on for possible answers.
PayPal Scam Emails – Part of the COVID-19 Scam Wave?
You’ve probably seen the news about how COVID-19 scams are taking advantage of people’s fear and confusion. The most common online scams seem to involve impersonating health or government organizations. Whether it’s to promise money or updates on COVID-19 regulations, there has been no shortage of ways scammers have tried to profit off the pandemic.
These PayPal scam emails seem to have started around the same time, so it likely has something to do with it. However, most of them are in the following format:
As you can see, Dear Customer, much of the spam goes for the standard scare tactic. Your account’s been locked “due to inactivity,” so PayPal suddenly needs some of your info to unlock it. The emails come from “firstname.lastname@example.org”, so it must be legit, right? Well, there are several problems with this:
- PayPal only ever refers to you by your full name (the one you provided when you created your account). So, none of this “Dear Customer” business.
- PayPal will NEVER ever ask for your information. You’ve already provided a lot of info when you created your account, so they have everything they need.
- If you try opening one of these emails, you will see they are riddled with grammatical errors and the formatting is all over the place. In fact, you can see from the previews that my account has been “temporarily limited !!” Not suspicious at all.
WARNING: Never Open Spam Emails
It used to be that your device could get infected just by looking at a spam email, which is why I tend to keep a script-blocker (uMatrix) running, one of our favorite tools here at IPVanish. Nowadays, it can only really happen if you open suspicious email attachments, but why risk it? (Pro-tip: just don’t do it.)
In any case, are these PayPal scam emails really part of the same wave, or is it just a coincidence? There’s another likely culprit in the next section.
Your Email Has Been Leaked Somewhere
You can easily find out if your account has been part of a major data leak, like the Yahoo breach reveals from 2017 or the more recent Marriott leak. No need to pay for it either, a rarity in the data age. The service, “Have I Been Pwned?”, was created by award-winning web security expert and current Microsoft Regional Director, Troy Hunt.
Have I Been Pwned? compares your email address against a massive database of breach-related leaked info, and tells you which leak it was a part of. You can read more about it in their FAQ section. They also have a sister service called Pwned Passwords to check if any of your passwords have been involved in a breach. This way you know not to use them on any of your accounts. Oh, and that you should immediately change those passwords.
Try out our password generator to create secure, randomized passwords that are virtually impossible to crack through normal means. Obviously, never save your created passwords somewhere they can be stolen, such as a text file on your device or a sticky note on your office desk. You’d be surprised how many people do it. (See also: 10 Password Security Faux Pas You’re Probably Making)
Getting Too Much Spam? Switch Providers
It can be a royal pain, but don’t allow yourself to get lazy about your email security – especially if your account has been involved in a breach. Still being bombarded with spam? Time to make a switch. Create a schedule to change email providers on all your accounts, so you don’t feel overwhelmed. For instance, change your provider on your only essential accounts (banking, insurance, cellular, etc.) one day, then deal with your non-essential accounts over the course of the week.
This way you’re 100% sure those PayPal scam emails are not the real thing, no matter how convincing they look. Not sure where to look? Here are some secure email providers you can check out.
Personally, I’m going to start switching my accounts to Tutanota. I keep my inbox clean and don’t get any big attachments from the services I’m subscribed to, so their free option should be enough. Another free service on our list is Maildrop. It’s great if you just want a disposable email address.
Tutanota was also included in ProPrivacy’s ultimate privacy guide for their end-to-end encryption and ease of use. But if you work with sensitive files and are looking for something stronger, check out their section on how to use PGP (Pretty Good Privacy) with a dedicated email client.
Don’t limit yourself to just email security, either. Their guide has plenty of good info on how to keep all your data secure — which is all but required when PayPal scam emails and other internet mischief are making the rounds.