Emails with links

[Watis]

I've had an email from PayPal this morning - which I believe is genuine - asking me to confirm my phone number, should they need to get in touch quickly.

Part of the correct phone number is displayed in the email.

Wouldn't it be better to be asked to do nothing if the phone number is correct, rather than click a link, because that seems soooo spammy.

Watis

[Slarti]

Yes it would.

Or even better asking you to log into your account in the normal way and do the confirmation there.

There are very, very few emails where I will click a link.

Slarti

[Infrasonic]

What leads you to believe it is genuine?

Have you looked at all the message source headers, and does it pass all the DKIM/SPF/ and DMARC processes?
What is the IP address and SMTP address?
Even then as we discovered recently on another thread, phishing emails can be sent from behind legitimate fronts (cloud services) which will let them pass many security checks. The emails and linked websites are clones of the genuine article, so very difficult to spot.
viewtopic.php?f=39&t=16627

The safest option is never to follow links, always log in to accounts via the browser/bookmarks or a search engine search. Even with search engines you have to be careful as SEO experts can get dodgy sites high in the rankings, especially the smaller ones.

Wouldn't it be better to be asked to do nothing if the phone number is correct, rather than click a link, because that seems soooo spammy.

Most of my security alerts that I get for various services when say a non whitelisted device logs in to an account do exactly that, no action required unless it is considered a fraudulent log in.

https://haveibeenpwned.com/

[Alaric]

Part of the correct phone number is displayed in the email.

Someone, paypal or a scammer has associated your email address with a phone number. Usually it's a mobile that those taking on line credit cards may need, given the new security insistence on sending a text with a code to validate an online purchase.

[Alaric]

Most of my security alerts that I get for various services when say a non whitelisted device logs in to an account do exactly that, no action required unless it is considered a fraudulent log in.

I've found that using a hotel wifi with gmail can sometimes cause this. It's a menace if it locks the gmail account. I don't start the mail client automatically, so the work around is to fire up my phone's wifi hotspot to check emails. Perhaps caution is needed anyway if using hotel wifi for anything financial.

[Infrasonic]

Most of my security alerts that I get for various services when say a non whitelisted device logs in to an account do exactly that, no action required unless it is considered a fraudulent log in.

I've found that using a hotel wifi with gmail can sometimes cause this. It's a menace if it locks the gmail account. I don't start the mail client automatically, so the work around is to fire up my phone's wifi hotspot to check emails. Perhaps caution is needed anyway if using hotel wifi for anything financial.

Another option that might work there would be to have your own travel router that you carry around with you.

https://www.google.com/search?q=best+tr ... e&ie=UTF-8

[Watis]

What leads you to believe it is genuine?

Have you looked at all the message source headers, and does it pass all the DKIM/SPF/ and DMARC processes?
What is the IP address and SMTP address?
Even then as we discovered recently on another thread, phishing emails can be sent from behind legitimate fronts (cloud services) which will let them pass many security checks. The emails and linked websites are clones of the genuine article, so very difficult to spot.
viewtopic.php?f=39&t=16627

Thanks, Infrasonic.

I've extracted the following from the email header:

Authentication-Results: <redacted>.yahoo.com
header.i=@paypal.co.uk; header.s=pp-dkim1; dkim=pass (ok)
Received: from 127.0.0.1
(EHLO mx1.phx.paypal.com) (66.211.168.231)
by <redacted>.yahoo.com with SMTPS; Wed, 27 Mar 2019 03:59:21 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.co.uk; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@paypal.co.uk; t=1553659161;

There's no 'dmarc' entry though.

Watis

[supremetwo]

I've had an email from PayPal this morning - which I believe is genuine - asking me to confirm my phone number, should they need to get in touch quickly.

Part of the correct phone number is displayed in the email.

Wouldn't it be better to be asked to do nothing if the phone number is correct, rather than click a link, because that seems soooo spammy.

Watis

We've received hundreds of reports about these fake PayPal emails! The links lead to convincing-looking sites that are designed to steal your login details, personal and financial information!
https://www.facebook.com/actionfraud/ph ... =1&theater

[Infrasonic]

There's a free email header analyzer here, put the whole header into it, from top to bottom.
https://mxtoolbox.com/EmailHeaders.aspx

[Infrasonic]

There's no 'dmarc' entry though.

Both Yahoo and PayPal are DMARC users, so there should be some sort of report for it if genuine.
Ideally it should say =PASS but that's dependant on the implementation at the receive end, as there is a choice to send to inbox, spam folder or delete.
Too draconian on your DMARC settings and you'll get genuine emails being blackholed potentially. Most webmail services are fairly benign though.

Anything that is remotely 'security' based communication from a major company would almost certainly employ DMARC (if only to remain ISO or GDPR compliant), although lower level marketing and general information emails often skip it and are sent from non DMARC SMTP.

It's also possible for genuine emails which pass all the end to end validation to end up in your spam folder if the spam filters detect some recent change. I had it with a recent bank email that used a new SMTP address and a NoReply return address, both changes to previous emails from that part of the bank. A stupid thing to do by the bank as I'm sure many people would have had the same bank emails spam foldered without realising they were genuine, possibly even reporting them as phishing attempts.
I report all the genuine spam in my folder as phishing attempts but I don't know if it makes any real difference by being sent to some separate AI analysis or not. They end up in the deleted folder a few seconds later after reporting.

[Watis]

There's a free email header analyzer here, put the whole header into it, from top to bottom.
https://mxtoolbox.com/EmailHeaders.aspx

Thanks for the link, Infrasonic.

My email passed the dmarc, spf and one of two dkim tests. The dkim failure was that the body hash did not verify.

Watis

[Infrasonic]

There's a free email header analyzer here, put the whole header into it, from top to bottom.
https://mxtoolbox.com/EmailHeaders.aspx

Thanks for the link, Infrasonic.

My email passed the dmarc, spf and one of two dkim tests. The dkim failure was that the body hash did not verify.

Watis

That could just be a configuration issue.
Did you check your Yahoo address on https://haveibeenpwned.com/
Yahoo have had a few big data breaches over the years, although they are claiming that passwords et al were suitably encrypted not stored in plain text.
I have a Yahoo account for newsletters only, but don't store any of my real name or contact details on it, so if it was/is hacked there's nothing for them to go after.
There was a Facebook security alert the other day for plain text stored passwords, so it does happen even with the big corporations, although the press tend to overdo the actual danger from a probability perspective.

[Infrasonic]

For sensitive emails from banks,PayPal, solicitors et al you could always use something like a free ProtonMail account...
https://protonmail.com/