A rather generic but well-crafted fake American Red Cross email has recently been hitting inboxes around the world and asking recipients for donations:
As the offered link can be seen leading to a legitimate PayPal account, users might feel safe following it.
Still, the account in question seemingly does not belong to the American Red Cross, but to the owner of the firstname.lastname@example.org email address and account.
“Other than a short user-supplied bit of text, there is no indication that Thomas March has any connection with the American Red Cross,” Barracuda Labs’ researchers point out. “While paypal.com is a well known legitimate website, that means nothing when it comes to the destination of monies transferred.”
Even though this particular email doesn’t dupe users into sharing personal and financial information, we can safely assume that a donation made here will never reach the Red Cross.
In fact, the organization has its own dedicated, HTTPS protected web forms for donations, and this is the only webpage through which online donations should be processed.
“This underscores one of our primary pieces of advice when it comes to email security,” say the researchers. “Never follow links in email. The risk that the link is spoofed is just too great.”