Dear Readers… I had a scare.
From time to time I write about online and telephone scams, to warm you to be careful. The scammers are devious and “creative” (ironically destructive).
I am not sure what happened exactly, but I had a scare.
The other day, I received something in email that seemed entirely legit from someone/thing I know. I opened it and went to log in. I never do that. MISTAKE. I looked at the address bar and saw “sandbox.paypal”. “SANDBOX?!?!?”, quoth, I.
I immediately dropped everything and changed my PayPal password. “Whew!”, quoth I.
What is SANDBOX?
Sandbox.PayPal is a sort of “dummy load” which developers can use to test how PayPal works on their site. In ham radio, we can sometimes test an transmitting using a dummy load, a cable going into something like a container of sand. The power isn’t going into the atmosphere.
There’s more.
Today, I could not log into PayPal with my new password. I couldn’t change the password. I remote logged into my computer at home and tried to get in. I tried to reset. No dice. I used my mobile app and GOT IN. I changed my password again, logging out of all devices.
Once in PayPal, I checked that everything was in good shape and I was.
I don’t like PayPal, but … oh well.
Friends. BE CAREFUL. I am super cautious and I did something I should not have done.
It seems that scammers have found sandbox.paypal and can use it to create legit looking scams which mine your log in for username and password. That’s very bad.
I also have 2-step authentication. However, when I couldn’t get in, I had several really bad minutes while I systematically worked the problem with several failures along the way.
BE CAREFUL.
Don’t use in-mail links. Always back away and go to the website separately.
You get an email from your… say… bank. You need to attend to something. They provide a handy link.
NOPE!
In a separate browser, go to your bank site and see if there are messages for you.
And LOOK AT THE ADDRESSES in emails you get. If there is the slightest suspicion, CHANGE PASSWORDS. Use a strong password generator if you want.
Finally, it you get phone calls that are a little strange and out of the blue and the talk turns to money or gift cards or downloading a program to your computer…. DON’T.
UPDATE:
There are scammers who, posing as lawyers, have scams as “anti-scammers” promising to get your money back from the original scammers. For example: HERE
BTW… if the person you are talking to on the phone has sketchy English with an accent… just saying.
Loading ...
KeePassXC is a great program that generates and stores random passwords *offline*, on your computer. You access it with a master password (hopefully a very long one).
It also acts as a 2FA authenticator, so you don’t have to mess around with your smartphone if you don’t want to. There is a text field where you can store the answers to laughably-misnamed “security questions”, because of course you should use different answers for every account.
Now that LLMs can figure out your password system more easily, randomly-generated strings are the only way to go in my opinion.
I had a very good-looking and -sounding message from PayPal today, too. Only, what they said about ‘activity on my account’ hadn’t happened. Funny, that.
Thank you.
Thanks for the advice. My workplace has mandated training for spotting suspicious e-mails and yes, these scammers are getting more tech savvy.
FYI – there is a group preying on senior citizens by telling them over the phone that their Medicare card is out of date. My mother got a few of these calls. This group is phishing for personal information and senior citizens are often vulnerable. I have been told Medicare doesn’t call people randomly. I don’t know how many times I have warned my 87 year old mother not to pick up the phone if she doesn’t recognize a number. If it’s something really important a message can be left or they can call back.
It seems Father dodged a bullet. Scammers seem to get ever more creative and devious.
this may be common practice, but in case of it being non-universal it’s also good to do anything sensitive – banking etc – in a private window that you close immediately after completing your transactions
I used to ask to speak to the Supervisor. I would have talked about football, the weather or any topic occurring. Oddly, I was never put through to him; the caller would panic and ring off. Sometimes, I would correct the caller’s grammar. After a little while (and he’s paying for the call), he would ring off in frustration. It was hilarious!
Very good advice, all of it! Trust NOBODY unless you know them and you have absolutely confirmed their online identity! Be especially aware of odd or different patterns of (apparent) behavior, e.g: my esteemed pastor NEVER emails when he just wants to discuss some new brainstorm (or crisis), he always texts. Emails are for more formal communications – so on the three occasions I have received vague emails purporting to be from His Nibs and asking me to get in touch, the disparity with his usual patterns of communication was an obvious “tell”.
The clergy – or at least their identities – are frequently pawns in scams like this! Who is going to suspect an email from “Father”?
As an IT pro, a few suggestions which you will never regret having followed:
1.) BACKUP! Phone, tablet, PC – backup to cloud and keep a copy somewhere secure offline! It is a great feeling to thumb one’s nose at a ransomware attack!
2.) PASSWORDS – Unique!… random is better than long but both are best… whatever else you do, don’t EVER re-use the account/password combo you use on any financial account on any other account! Get a good password manager!
3.) UPDATE – OS updates, security patches, firmware! Not just on your end-user devices but on home routers and any “smart” devices in your home.
4.) OTHER DEVICES – Check online for advice on hardening your model of router – at the very least change the default Admin account/pwd. Also search for info on securing “IoT” (“Internet of Things) devices like “smart” thermostats, appliances, etc. They’re often easy vectors of access to a home network.
5.) MFA IS YOUR FRIEND – Multi-factor Authentication seems like something dreamt-up by a bureaucrat but it is extremely successful in stymying e.g. Phishing attacks.
In short: view everything through The Hermeneutic of Absolute Suspicion!
Yes, never click on e-mail links or text message links. It is always best to go directly to the institution’s app you have on your mobile phone to check to see if it is legit.
E-mail and text messages are SO easy to spoof. I once demonstrated this to a friend (Italian Librarian) by crafting an e-mail that “officially” appointed her as the head of the Vatican Library. It was complete with a Vatican library e-mail address and signed by the Pope (JP II at the time).
many years ago we got voice calls putatively from the lupus society. i said “i do not want lupus!” in a loud dramatic voice. it had the opposite of the intended effect as their telemarketers kept calling for entertainment.
One time I had a foreign voice call. Now it could be a genuine call centre in the UK so I asked where they were, they said (I think) Manchester. I asked what the time was and they couldn’t immediately answer so…….call ended.
There’s some great YouTube videos of the scammers getting scammed.