Recently we have received a PayPal phishing email and it looks like this.
It is not hard to spot that this email is a phish since clicking on the link does not take us to PayPal.com but to some remote site (which is already blocked by Sophos's web appliance).
The web page loaded from this site disguises itself as PayPal.com as shown below.
However, this web page is just an image of the real PayPal.com web page. All the tabs and links on this fake web page can not be selected and only the email address and password text field can be used. This is another obvious sign that the web site is fake. By logging in with some fake email address and password we were lead to the following page.
By clicking on the link we were directed to another web page as shown below.
How can we tell that this web page is fake? It is quite simple, this page has the following URL.
We provided some fake account and address information, the site then redirects us to a page asking us to supply our banking details.
We then decided to supply more fake banking information to the web page and see where it will lead us. As a result we were lead to the following page.
Finally, the site will refresh and redirect us to the genuine PayPal.com web page.