I accidentally in your base

I just received a fake PayPal phishing email that almost caught me out... there's something I never expected to say.

The phishers have hacked an ecommerce site that I used last year. They then used my email address and full name from that store to email me - meaning that the email met the 'genuineness' criteria PayPal themselves give in the sidebar of their own emails (which this one was an exact copy of):

PayPal will never send an email with the greeting "Dear PayPal User" or "Dear PayPal Member." Real PayPal emails will address you by your first and last name or the business name associated with your PayPal account.

Cunning. The only reason I spotted it is that I use tailored email addresses - so the To: address on the phishing email was the one I gave to the web-shop, not the one I gave to PayPal. Obviously for most people, this would not be the case - they use one email address for everything. The links go to paypal.com.mx, but it's a good copy of the real PayPal website and I have to say that I probably wouldn't have noticed the TLD if it wasn't for the To: address inconsistency.

I've phoned the store that run the web-shop, and amazingly enough the guy I spoke to had enough technical background to understand what I was telling him - he's kicking off an investigation right now. He says they don't store credit card details, so even if their ecommerce system has been completely 0wn3d I should be fairly safe.

Overall, I have to say I'm impressed... very sneaky indeed.