Innovations in phishing

Like most people who’ve had email for more than a week, I’m used to getting phony notices from eBay, Bank of America, and various other institutions telling me that there’s a problem with my account, and inviting me to click on the embedded link and “verify” my personal info. By now I think I’ve seen all the common variations of this scam, but every once in a while there’s a new one:

Dear PayPal Member,

This email confirms that you have sent an eBay payment of $47.85 USD to for an eBay item.

Payment Details

Amount: $47.85 USD
Transaction ID: xxx
Subject: Digimax 130

If you haven’t authorized this charge, click the link below to dispute transaction
and get full refund.

Dispute transaction (Encrypted link)

*SSL connection:
PayPal automatically encrypts your confidential information
in transit from your computer to ours using the Secure
Sockets Layer protocol (SSL) with an encryption key length
of 128-bits (the highest level commercially available)

The message goes on to state that the guy you supposedly sent money to has an unconfirmed address (with “UNCONFIRMED” in all-caps), and congratulates you on your choice of payment method:

By using your bank account to send money, you just:

– Paid easily and securely
– Sent money faster than writing and mailing paper checks
– Paid instantly — your purchase won’t show up on bills at the end of
the month.

Thanks for using your bank account!

…which I thought was an especially clever touch. Most phishing emails suggest that your eBay/PayPal/whatever account will be “locked” or “disabled” until you provide the requested information. That’s annoying, but not necessarily urgent. The thought that someone might be draining your bank account RIGHT NOW, on the other hand…

Very deft use of psychology. Now if only this ingenuity could be harnessed for something constructive, like rescuing Battlestar Galactica from last season’s plot twists.