I just gave many, many personal details to a fake Paypal page, now what?
December 15, 2016 12:04 AM   Subscribe

I received an email from 'Paypal' stating that an unknown device had attempted to change my password and to click on the link to verify my account. I went to the link and provided a stupid amount of details and as soon as I submitted them I realised what I had done.

I've called Paypal (who confirmed it was a scam) and my bank. They have cancelled my bank card and my online banking can no longer be accessed without a security tag. I have been provided with links to services such as Scamwatch and IDCare but I'm unable to call them as it's now past 5pm in Australia (where I'm located) but I will call them tomorrow morning.

I'm wondering if there's anything I can do in the meantime to prevent anything from occurring.

For full context: I provided my full name, DOB, address, license number, bank card number, expiry, CCV, account number, bsb, and my mother's maiden name to the scam page.

Please note: I have been cringing the whole time I've been typing this. I know how silly this is and looking back I can see 100 and 1 warning signs, please go easy on me.
posted by tegna56 to Law & Government (8 answers total) 2 users marked this as a favorite
Have you changed your Paypal password? I'd do that first and then change passwords on anything linked to your Paypal, especially email accounts like Gmail. If you use the same passwords in multiple places (you shouldn't) then change them too. Ideally you should randomise them and consider a password manager that will let you generate random, long passwords.

I'm not sure of the best services for credit score checking in Australia, but I'd sign up to at least one credit bureau on a trial to make sure no credit is taken out in your name. You may be able to put a credit freeze in place that will prevent credit being taken out without extra checks.

Also don't feel too bad - these kind of scams are very sophisticated and designed to take advantage of our natural instinct to be trusting of each other, and to hit us when we're overwhelmed and busy. It's a tough way to learn never to fill in a form from an email link, but you'll never do it again.

I got caught by a similar phishing attempt, thankfully only for Twitter details. But even now when Paypal sends me a real email with a button in it (why do they do that? why?) I never click it - I go to the website manually, myself, and log in directly. Trust nothing you receive in email unasked for. Absolutely nothing.
posted by Happy Dave at 12:22 AM on December 15, 2016 [6 favorites]

Since you've cancelled your card, there's little the scammers can do with it.

But they have your bank account number and other identifiers so maybe you might want to ask your bank to provide some sort of additional security, or change your account number altogether.

If it's any consolation, I once had my wallet stolen in the Paris subway right after a loud speaker announcement to be aware of pickpockets in the station and me thinking "what idiot gets his wallet stolen after a warning like that?"
posted by Kwadeng at 12:23 AM on December 15, 2016 [2 favorites]

I can see four obvious ways for scammers to use this info.
1. use your credit card - which has been cancelled, so you are fine there.
2. get into your bank account, especially if you used your mother's maiden name as a security question, but it sounds like your bank has activated 2-factor authentication there, so no worries.
3. use combinations of your name/DOB and mother's maiden name to try to break into other accounts. They would probably focus on your email because if they can hack that, they can use it to reset other passwords e.g. for paypal etc.
4. use your licence number, DOB and address to open new bank accounts in your name, for e.g. money laundering purposes. Maybe even to apply for credit cards in your name.

So you want to focus on preventing 3 and 4, I think. You should turn on 2-factor authentication on every account possible. Especially your email. If you ever use your date of birth or mother's maiden name as answers to security questions or PINs, go into as many accounts as you can think of and change that. Stop using them from now on.

For 4 you should be able to keep an eye on these through IDCare, and they aren't going to be able to open a new account and access it immediately, so you have time to worry about this in the days/weeks ahead.
posted by lollusc at 12:27 AM on December 15, 2016 [2 favorites]

This really sucks. I did something similar several years ago, which did result in some identity theft. I used Veda to do a credit check to make sure that there was nothing else was going on. It might be too early to do one now for this situation, but Moneysmart recommends doing them annually.

Which reminds me, I should get a fresh one done!
posted by kinddieserzeit at 2:51 AM on December 15, 2016

You go easy on yourself!!
"PayPal" email me at least 3 times a month with exactly this kind of thing. I don't even have a PayPal account and seriously, that's the only thing that's saved me from myself.

In future, any email that starts "Dear Client" or "Dear 'youremailaddress'" - it's not real, Paypal and other companies will always email you by you First Name rather than something generic like that.

This sh*t happens to people all the time... it's why the scams are so popular. You were caught in a moment of madness, it happens. You be nice to yourself!!
posted by JenThePro at 7:45 AM on December 15, 2016 [2 favorites]

I'm not seeing anything immediate in regards to Australian-specific resources for doing this, but you might investigate whether it's possible to get a credit freeze, so that no one can open new lines of credit in your name with the info they've stolen.
posted by Aleyn at 5:54 PM on December 15, 2016

This sh*t happens to people all the time... it's why the scams are so popular. You were caught in a moment of madness, it happens. You be nice to yourself!!

Further evidence of this: Cory Doctorow describes how he got phished. No matter how internet savvy we think we are, it only takes a brief lapse to get caught by one of these, and no one can be perfectly vigilant all the time. So don't be too hard on yourself!
posted by DevilsAdvocate at 10:40 PM on December 15, 2016

This is becoming so common, an incident of similar nature happened to my friend recently. He was looking for some scholarship/endowment opportunity to ease out tuition fee burden but ended up giving banking credentials by filling up a bogus form intended to be from the university.

The deadline was so close that he could not even get a chance to discuss it with me. Luckily we managed to lock that account from the bank otherwise he could have lost all his hard earned money. Here are some tips explained through an informative article on Huffington Post

NEVER share your passwords with anybody. A legitimate person, such as university’s IT/Finance support personnel, will never ask you to reveal your password.

Students should be particularly concerned about an email that carries a link for them to follow. Remember, universities have a separate section about scholarships and other funding opportunities on their website, plus a CTA (Call to Action) option for students to apply.

If you figure a spam/phishing mail, then immediately call/email the concerned university staff to verify the message. When approaching via email, make sure you send it to a verified address mentioned on the university website or any authentic place. Replying to a phishing email would be as dangerous as following any links in the message.
posted by esfar at 4:13 AM on March 20, 2017

« Older Dachshund with swollen feet needs help!   |   Left luggage/coin lockers inside customs a Kansai... Newer »
This thread is closed to new comments.