Am I being Phished at PayPal?

I went to log into PayPal this morning, and am pretty sure I was at the official PayPal website: (https://www.paypal.com/) and after entering my password, I was redirected to a "Security Check" website. See the attached screenshot.

It seemed very strange to me that PayPal would be asking me to enter credit card number and bank information that they already have on file for me, so I refrained from doing so, copied the screen, and logged back out.

I can't forward the screen shot to PayPal because I can't log into PayPal without divulging the information they (or someone) wants me to send.

Is this legitimate? How can I find out?

tanstaafl.

In a perfect world, you just look at the certificate and make sure it's valid.

Try giving them a call:
1-888-221-1161

According to their website, you should email it to [email protected].

I agree this looks very strange, but if it is a phish I'd also love to know how they've done it given the precautions you've taken.

Peter

I have a related PayPal question from my Dad:

"Help!

I am trying to change my credit card number on PayPal. When I log on to my account I get this message:

We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you will now be taken through a series of identity verification pages.

It then asks me for my current credit card number ending in 061. This account has been closed due to fraudulent withdrawals and I don’t know the number.

I have tried contacting them by their email link, but it only allows one sentence.

I have tried to phone but this requires a Pin number. Following their link to get a Pin I get the above message.

I have tried to create a new account but it says that an account for [email protected] already exists."

Any clues ?

Certificate? Valid? You are talking about things I don't understand here.

I called the number, and a person representing himself as PayPal answered and assured me that it is legitimate. The reasoning is they want to make sure that the person making the payment really is the account holder, otherwise if I had your PayPal user ID and password I could make a fraudulent payment to myself and then skip the country. Hmmm... Mexico sounds nice.

I am still suspicious. The PayPal home page has a nice little donation window near the bottom to send relief money to the Phillipines. I don't recall that sort of humanitarian concern on PayPal's website in the past.

And now, as part of their Security Check, they want me to enter and confirm a new password and enter new authentication answers to some pretty non-useful questions.

I'm not happy about this.

tanstaafl.

The phone number that JBjorgen gave (1-888-221-1161) worked without a PIN number.

There isn't any way that phishers could spoof a secure website AND a phone number is there?

tanstaafl.

That's the number I got from the "contact us" page when I logged in to my account.

I have to assume this is legit, although I agree...it seems as if they should be able to find another way to verify your identity (ie...secret question).

BTW. The other reason that I'd be fairly sure this is coming from paypal is that they present the bank name and the last few numbers, indicating that they already know the account number. If a phisher has that info, there's not much else you could provide them that would help.

Yes, but all they present is the last four digits of the number... anybody who had somehow hacked into my PayPal account would have access to that information.

If this really is a genuine phishing expedition (unlikely) the perpetrator now has my full bank account number, my new password, and authentication questions and answers.

What is unsettling is that Snopes lists this as a PayPal scam dating back to 2003. The wording in the scam is practically identical to the wording on the web page I was redirected to.

What makes me pretty sure it was NOT phishing is that I can now log into PayPal with my NEW password. And I am pretty sure it IS the PayPal site I logged into because I can list my transactions.

tanstaafl.

If you want to be extra sure, change your password again once you have verified you're actually on the real PayPal site.

A really good phishing attack will relay the input credentials in the background to the real site and be able to present you the various account bits you'd expect to find there.

IMO, PayPal should not ask for the full credit card number for verification. It should ask only for specific digits from the card or your bank account. It doesn't need the whole thing for verification purposes. Besides, if someone had access to your PayPal account because they had gained access to your computer or your home, they'd also likely have the full account number, wouldn't they? Say from bank statements for example.

Most times when I log in to Paypal it asks me to verify/update certain aspects of my account. Pretty much every time this happens nothing needs updating so I usually just hit okay. If they were phishing then already had enough info to do me over. But it hasn't happened.... yet.

Mmm.. this funny stuff hasn't hit me yet, but thanks for the warning: I've just now gone and withdrawn my entire paypal balance.

If they want to lock me out.. no problem

Cheers