Whatever the PayPal hoaxers are up to, they are expending a lot of effort doing it. If you haven't received a spoof email yet, it appears to come from PayPal, the internet payment company, and contains logos and copyright information to make it seem authentic. But it also comes with a form asking for your credit card details so PayPal can "detect inactive customers". And, of course, when you click Submit, your credit card details don't go to PayPal but to a website set up by the spoofster.
It is a simple ruse - so simple you might imagine it would be a non-starter. But the mails have continued for several months, the latest just a few days ago, and they are on the increase. But is it a big problem and is anybody doing anything about it?
Internet registration records show that one recent message sent responses to a server belonging to a Surrey-based ISP. Its technical director explains what happens. "The spammers put up a site that looks vaguely like PayPal and then send out a spam that contains a form. If the recipient bangs in his credit card details, our server picks them up and stores them in a file. Every so often the spammer checks that file for additions.
"After the sites are set up, they must start spamming within an hour. We take all the sites down as soon as we find them. Our average is about six hours and our record is to cut the site off within 90 minutes," he says.
The technical department of an ISP is in a privileged position to witness the success of the scam, which can be described as frightening. "We sat there one Saturday afternoon and even though the server was sending out 404s [ie. it had been shut down], a credit card number with its Pin arrived every two or three minutes," says the technical director.
And that explains why the spammers are so persistent: their ruse is working. The ISP says that around 40 or 50 scam sites were set up at the beginning of June and were all reported to Surrey police.
Detective Constable Tony Noble, from the computer crime unit at Surrey police, confirms the police are working with the ISP to investigate the scam. But, he says, as police priorities go, this one is relatively low on the list. Noble identifies the major stumbling block. "We have yet to find somebody that has lost money."
And herein lies the great mystery. The latest wave of mails, launched a few days ago, returned responses to a site registered to a non-existent company in Las Vegas. The site remained open for more than a day until PayPal shut it down. The technical director at the Surrey-based ISP estimated that this would still have resulted in up to 500 credit card details.
It seems strange that so many card details are being collected, yet no one is reporting any financial loss. The fraud departments at Visa, Mastercard and Barclaycard have not identified significant problems, either.
There are several reasons why. The spammer could be some kind of bizarre trophy gatherer, gaining a power trip from collecting personal information. Alternatively, savvy net users could be returning authentic-looking, but false, card details. That would be an element of poetic justice.
But the sheer persistence of the spammer seems to indicate that there is more to it. One possibility is that victims are not admitting having given away their card details in case it invalidates their insurance policy.
Barclaycard say this is possible but victims of such scams are normally reimbursed for losses, so customers would have no reason to stay quiet.
But it is also possible that the motive is yet to surface. Professional fraudsters often wait months before using misappropriated cards, by which time the duped party will most likely have forgotten when they gave away details.
In the meantime, PayPal is stepping up efforts to educate people. The UK's National Hi-Tech Crime Unit has also been alerted. The unit classifies the situation as an ongoing investigation, but adds that unless a fraud occurs, the process of collecting credit card numbers per se isn't a crime.
If we are ever to find out who is behind the great PayPal scam, then someone, somewhere will first have to lose a lot of money.
