Below is an image of portions of the e-mail:

Paypal Scam E-Mail

One clue is that the To: field had nothing in it. So while the e-mail was sent to me, they didn’t directly identify my account in the to field.  Most people don’t display the to field in their e-mail program, so that is not a dead giveway. Next, take a look at the product number. Usually PayPal e-mails identify the source of the transaction, which in this case it did not explicitly, although later in the e-mail it displayed someone’s eBay user ID. Since the product number looks a lot like an eBay number, I checked that out and of course found no product listed there.

Another clue is in the following section:

PayPal Scam E-mail Section 2

Here the name of the eBay seller supposedly is John Deprimo, but shortly after that there is an important note indicating that Cheryl Blake has an unconfirmed address.

But the full giveaway is really the links — and usually that is the case. For example, there are three links in the e-mail. One is to an e-mail address. One actually goes to PayPal. And then there is the Dispute Transaction link (see the first image in the post). If you hover over this link in Outlook (and in most e-mail web clients worth their salt) the actual target of the link is show.  In this case it is not PayPal, but some URL to “sytes.net.”  And even though it says encrypted link, it is not — instead it all goes across http unencrypted.

So for many this may be old news to you. But it happens every day when someone gets taken by something like this. Use caution and review all of the material in an e-mail. Go to the site directly instead of through the e-mail if you are suspicious. And for PayPal in particular, consider using the electronic security keys that require that you type in a number in addition to your password for logging into your account.

As we discussed in the previous post, I have am confidence that Yodlee, CashEdge, Mint and Geezeo have a very high level of security to protect your information. As an individual, you are more at risk from phishing or having your own computer compromised whether by virus, trojan horse, or theft.  Keep in mind though that there is significantly more incentive for someone to compromise the financial websites security than there is for someone to steal just your individual information. Regardless of whether you choose to use an account aggregator, or simply log on to your financial institution’s web site periodically, it is a good idea to put some basic protections in place.

So what are some of the ways that you can protect yourself from all of these threats?

Check Your Account Statements Often

Staying Safe On-line

First and foremost it is important to keep an eye on transactions in your accounts. It seems logical to check bank accounts and credit card statements frequently. But you also need to check brokerage accounts and retirement accounts frequently. With brokerages and retirement accounts, you have no protection from the maintainer of the account if someone were to drain the accounts. Your only real protection is to detect that it is happening quickly and take action before a distribution can be made.

Some financial institutions, of course, have protections on what happens when the address on the account gets changed. They may notify you via e-mail or regular mail if this happens. This helps in the event that a thief attempts to change the address before requesting a distribution. But this protection is inconsistent across different companies.

When you check your accounts, you are really just doing a quick scan to make sure there are no unexpected distributions or transactions. This is a case where account aggregators can actually improve your security. With aggregators you only need to look in one place to view the transactions.

How often should you check your accounts?  Generally you should check them within the window of protection. For instance, credit cards usually give you the most protection from fraudulent activity. Visa and Mastercard Debit Cards carry similar protection to credit cards, but only if you sign for the purchase as opposed to using your PIN.  But with brokerages and retirement accounts you have very little time to react.

My recommendation is that you check your accounts at least every three days to provide enough coverage for any account type.

Use Passwords Wisely

Password safety is very important, but it is easy to get into a system where you use the same password for every account or most accounts. For the ultra paranoid, the only real way to be safe here is to use a different password for every account. That is probably a bit overkill, but I would recommend protecting certain accounts with a strong unique password. For example, your primary bank account with the majority of your cash should be well protected. Some of your lessor accounts like the account aggregator, where you cannot move money around, may have a less strict password.

Here are some of the steps you can take to improve your password usage:

• Remembering unique and strong passwords is always a challenge. You have to make a choice whether you want fewer passwords and you want to memorize them, or whether you want to store them somewhere.
• If you choose to memorize them, a good tip is to use the first letter in each word of a well known phrase. Then you can replace some letters with numbers or capital letters to improve the strength.
• My personal choice is to store them using Keepass.  I have been using the 2.x version (don’t let the beta designation scare you, it is a very stable utility). There is certainly a risk if your Keepass file is stolen, so keep the password to it strong — and make sure you protect the file as much as possible.  Keepass can generate very strong passwords, and make it easy for you to quickly find the unique password for any site.
• Create passwords that are at least 8 characters in length and contain both lower case and upper case letters along with some numbers.  An 8 character password with just lower case letters in it takes only about 5 hours to break. Adding some alternate case letters and numbers into the password increases that time to 25 days.
• Change your passwords periodically, around once every two years if there are no breaches on your accounts.  If one of your accounts is breached, change all of your passwords as soon as possible. Again this is an area where Keepass can help keep track of the passwords.

Freeze Your Credit

I have not made it a secret that I think freezing your credit is one of the best ways to protect yourself.  There are some institutions that still use a Social Security as a user ID. Thankfully these are dwindling.  Although it won’t protect the specific account, freezing your credit will help protect your identity should a site that uses or stores your social security number be compromised.

Protect Your Computer

A complete discussion of appropriate ways to protect your computer and your home network is beyond the scope of this article, though I intend to cover it in the future. In the meantime, here are some high level tips for protecting your computer:

• Always use a router with a firewall for a home connection to the Internet
• For on the road, make sure a software firewall is installed
• Make sure you have up to date antivirus and spyware software
• Also keep the operating system updated, preferably by using the auto update feature
• If you have more than one computer, consider using aggregators or Quicken on the computer that is not used for day to day web surfing.  The computer you use for average daily use is where you are more likely to download and install things into the browser that could compromise your system.

For the Ultra Paranoid

If you really don’t like the idea of using the on-line account aggregators, you can always use Quicken or GNUCash to keep a view on your accounts. However if you are this concerned, I recommend downloading your transactions manually by logging into each site and downloading them from there. This way your credentials are generally kept between you and the financial institution (unless the financial institution itself uses Yodlee or CashEdge).

If want to use an on-line aggregator, Wesabe appears to be the safest of them all with its options to manually upload account data and a FireFox plugin to make that process easier. I am impressed with the flexibility of Wesabe’s security and flexibility — they recognize that not everyone wants to send their credentials to a central location. Also this manual approach and the FireFox plugin both work with ING Direct which has frequently caused problems with other on-line aggregators that don’t allow manual uploads.  Of course, this approach to uploading account information is less convenient than having the aggregator pull account information directly.

Conclusion

How safe you are with on-line banking really depends on the degree to which you do all of these things. If you are dilligent about checking your accounts, but don’t pay as much attention to your passwords or your home computer safety, then work to improve in those areas even if it isn’t an immediate change. The bottom line is that if you follow the practices outlined above regarding watching your accounts, using strong passwords, and keeping your computers safe, you should be able to use Quicken, GNUCash, Mint.com, or Geezeo with enough confidence.

Credit cards can become a bit of a vicious cycle, not only from a debt perspective, but even from a tracking perspective. Just having a credit card makes it easier to spend, and makes it statistically more likely that a person will spend.  Spending and buying more results in potentially more debt, but it also makes it more difficult to track all of the spending and whether the amount is correct or not.

Our credit card was used for fradulent charges a couple of months ago. The charges occurred in Europe and they happened over a Friday / Saturday. Fortunately, Quicken pulls in recent charges from Capital One during the middle of the billing cycle, and I noticed two charges before any more could be made.

In our first call to Capital One, we apparently did not specify that we need to talk to the fraud department. We disputed the first charge, however instead of simply disputing we needed to inform the fraud department. After we saw the second charge, we made sure we were talking to the fraud department, asked that the card be frozen and received a new card about a week later.

Some important lessons from this include:

Check Charges On-Line, Often

The best bet is to check the credit card site directly, and check it every few days.  Even using Quicken I don’t receive the charges until a day or two after the charge. And at the end of the billing cycle, Capital One seems to shut down its feed to Quicken of my charges until the statement is ready.  So checking on the card issuer site directly provides the most up-to-date information.

Call Immediately if there is Fraud

Call the credit card immediately if you notice fraudulent charges, and make sure you are speaking to the fraud department (or make it clear that this is not just a charge dispute, but fraudulent charges). You will need to complete some paper work identifying the fraudulent charges and return it to the card issuer.

File a Police Report

Filing a police report may not be appropriate for all scenarios. For our situation we did not file one — the police in our city are not going to go after someone who made two illegal charges for purchasing train tickets and a bus tour in the U.K. But, if there are more than 4 charges, the amounts are significant (more than $1000) or you know the person who made the charges illegally, it is important to file the police report.

Keep Receipts

If you are concerned about modified charges as in the situation described on Free From Broke, keep your credit card receipts. Admittedly this is something I do not do but it is something to consider.

Debit Cards

With debit cards it is important to be even more diligent. Protections available with credit cards are not necessarily extended to debit cards, unless your bank chooses to provide those protections. If you do not notify your bank within 2 days of learning about the fraud, you will be liable for much more than the $50 liability limit that credit cards provide.  But aside from liability, with debit card fraud there is a good chance that you get overdrafted and are unable to make scheduled and regular payments from the account until the fraud is cleared up.

The bottom line is that you do need to keep a close eye on your accounts and identify suspicious charges or payments immediately.