I received an email this morning that appeared to be from Paypal - and I mean, it absolutely looked like it was from Paypal. It didn't help that I was checking my email on my phone while sitting at a very long red light so I didn't have the time to look it overly carefully and so it caused an immediate gut reaction of "I didn't make any Paypal transactions " which is exactly what its intent was. To panic you so that you don't look into it further and just start clicking on links and typing in your password and whatnot. Fortunately, what I did instead, was wait until I got to the office and was able to look at the email more carefully. Let me reiterate again - this email looked legit. The name was right, the graphics were right, the format was right and it wasn't just a standard receipt -
"Thanks for using Paypal. Your transaction is being reviewed because our system detected that you are using an unknown device. If the transaction was not made by you Login here and cancel it in order to get full refund. It may take a few moments for this transaction to appear in your account."
Now that's truly evil because they're playing on your fear that your account has been compromised and your instinct to fix the situation ASAP. I think a lot of people would click on the "Login here" link in a panic and then god only knows what that link leads to.
If you haven't done so already, look into all the security features that Paypal has for you to secure your account. They have a lot of them. Take advantage of all layers of security offered to you.
Unless you are physically sitting there ordering something from a site and can confirm that it's legit beyond a shadow of a doubt, don't ever take any email from Paypal at face value. If you have those layers of security in place as you should, Paypal would have warned you long before someone was actually able to make a transaction.
Don't click on links in emails. Just don't do it. It's not safe. Even if you get an email from your best friend, if they're not sitting there telling you they're sending you a link to something, don't trust it. Send them a text and ask them if they actually sent it to you or not. Whenever possible, type the website address directly into your browser. It's just safer.
If you receive an email like I did, DON'T PANIC! If someone already has access to your account, you do want to take care of it as quickly as possible, but that doesn't mean you should lose your head. Calm down, DON'T CLICK ON ANY LINKS, type the website address directly into your browser and login from there, check your account activity. If the website tracks login attempts, check that as well.
There are often little tells in phishing emails, for instance when I really read the statement that I quoted above, I realized that there was a typo/poor grammar. The email of the merchant that it claimed to be for (which a quick Google search proved that it was a real merchant, just not one that I'd heard of before) was "Customer.Services" when the real email for that website was "Customer.Service". As well as other very minor inconsistencies. Do not, however, assume that just because you can't find an inconsistency that it means the email is legit.
Better safe than sorry - if you are at all suspicious of an email that you receive, type the website address directly into your browser and look into their suspected fraud/spoof/phishing procedure. Paypal, for instance, asks that you forward any suspicious emails to their "Spoof" account so they can look into it.
Change your passwords often and use strong ones; you're all familiar with the characters and whatnot that help to make a strong password, but also don't use numbers, names or objects that could easily be associated with you. Pet names, for instance, are a terrible idea, because you almost certainly mention your pet's name somewhere on social media. For the love of god if you are one of the people who still uses "password" or "123456" or any of the really stupid passwords that are on the list of most common passwords, please knock it off and properly secure your accounts.
Thank you and have a nice day of not clicking on any links in emails.