• 0

HELP PayTm.com - should I be worried?


Go to solution Solved by Nick H.,

Question

+E.Worm Jimmy

This is the series of emails I have received over last 24 hours. except the first one, the "welcome" email is from december, when i tried to contact them to figure it out...

 

 

i went to that site, and used my email to reset password, it allowed me to do so, and change the password, but would not allow me to login without

One Time Password (OTP) has been sent to your mobile ******3263, please enter the same here to login
 

this has happened before, 6 month ago, and when i contacted them, they first replied asking for more information about the specific transaction, and when i replied i never sighted up for the service, they never replied again.    

 

should i be worried, or, since i assume someone is using the account with indian phone #,   should i just add it to spam?

 

other people are reporting similar issue

http://cybercrimecomplaints.com/content/fraudulent-use-my-email-id

 

 

so, neowin, advice me please!    also, from the emails it looks like money was received then send, then send and recieved, to the same person.     leaving balance as 0.

 

:huh: :huh: :huh:

 

and how did they verify my email....    (though considering that you can reset password by entering the #### sent to your phone, maybe, just maybe they never verified the email, and only the phone #

 

 

what should i do???

 

 

 

Hi there!

Thanks for choosing Paytm!

Get started on a simple and incredible experience on Paytm. You can use Paytm to recharge your mobile or DTH, pay your bills or shop online!

We have also created a Paytm Cash Wallet for you. If your order fails, you will find your money safe in it. You can use it for your next order at Paytm right away.

Click here (https://accounts.paytm.com/activate?code=8bdca300-7b6a-11e4-ade7-061a96f49bbe) to verify your email address and enjoy additional security in your Paytm account.

Should you need any further assistance, contact us at care@paytm.com (mailto:care@paytm.com)

Look forward to see you again at Paytm.

Paytm Care Team

 

 

seal.pngpaytm-logo.png

 

 

Hi there!

Somebody recently asked to reset your Paytm account password.

Click here to reset your password.

If you did not request a new password, please let us know immediately at care@paytm.com

See you soon on Paytm.

Paytm Care Team

 

 

 

Hi There!

Your friend, karthiksreerama@yahoo.com, has sent you Rs.200.00 to your Paytm wallet.

Your updated balance is Rs.200.0.

Please visit https://paytm.com/paytmwallet to see your account details.

For future reference, your Transaction ID is 123577258.

You can use the Paytm Wallet for simpler payments, instant refunds and recieve cash-backs. Paytm Wallet can be used to recharge your mobile, DTH, pay your bills or shop online at following websites and many more*.

 

 

Hi There!

You have sent Rs.200.00 to your friend's Paytm wallet ( karthiksreerama@yahoo.com).

Your updated balance is Rs.0.0.

For future reference, your Transaction ID is 123860914. If you need any further assistance, please write to us at care@paytm.com

Paytm Team

 

Hi There!

Your friend, karthiksreerama@yahoo.com, has sent you Rs.250.00 to your Paytm wallet.

Your updated balance is Rs.250.0.

Please visit https://paytm.com/paytmwallet to see your account details.

For future reference, your Transaction ID is 129932190.

You can use the Paytm Wallet for simpler payments, instant refunds and recieve cash-backs. Paytm Wallet can be used to recharge your mobile, DTH, pay your bills or shop online at following websites and many more*.

Hi There!

You have sent Rs.250.00 to your friend's Paytm wallet ( karthiksreerama@yahoo.com).

Your updated balance is Rs.0.0.

For future reference, your Transaction ID is 129961854. If you need any further assistance, please write to us at care@paytm.com

Paytm Team

 

 

Link to post
Share on other sites

13 answers to this question

Recommended Posts

  • 0
Nick H.

Wait. You didn't sign up for the service, but you still went to the website and used your email to reset the password? :blink:

Regardless, if you didn't sign up for the service or you don't use it, I would just consider it spam and leave it at that. Since you haven't provided them with any details (banking and such, as now they have your email even if they were just guessing at the beginning) then it would seem that there is little they can do other than send you further emails.

  • Like 1
Link to post
Share on other sites
  • 0
A Real American!

wow they were first calling as IRS then as Microsoft and now they are exploiting other people's emails. FBI where are you? NSA? CIA? somebody stop them.

Link to post
Share on other sites
  • 0
xendrome

Just spam the e-mails and move on with your day?

  • Like 1
Link to post
Share on other sites
  • 0
sc302

spam should be deleted/ignored/set to block. 

 

This is spam.  You should never have acted upon it.

  • Like 1
Link to post
Share on other sites
  • 0
+Dick Montage
Wait. You didn't sign up for the service, but you still went to the website and used your email to reset the password?

 

Yeah... Why the hell did you do that?  Now they have:

 

1) A verified email address.

2) A possible/probably password to associate with that address.

 

I know you're tech savvy, so I would assume that you didn't use your "go-to" password, but then again you fell for this scam so...

 

Come on mang, you better than this ;)

  • Like 1
Link to post
Share on other sites
  • 0
+E.Worm Jimmy

Wait. You didn't sign up for the service, but you still went to the website and used your email to reset the password? :blink:

 

 

yeah, but it allowed to reset the password, but it won't allow me to login, without the # they are supposed to send to the cell #

 

 

yeah, i guess i will spam it.   they don't have anything else other then email and my first name, so who cares...

Yeah... Why the hell did you do that?  Now they have:

 

1) A verified email address.

2) A possible/probably password to associate with that address.

 

I know you're tech savvy, so I would assume that you didn't use your "go-to" password, but then again you fell for this scam so...

 

Come on mang, you better than this ;)

 

i used password1 ;)     i thought it was a legitimate site, since i have seen other people accidently use my email when signing up for legitimate sites, and i had corrected the issue with the sites very fast, as the owners of the account realized their mistake.

 

 

my email password is FAR FAR different to the one i will ever use on any other site, especially an unknown.

 

 

yeah, probably should not have verified the email though, but i did so in my original reply to them that i did not sign up, so it was too late already.   then i though it was a genuine mistake.

  • Like 1
Link to post
Share on other sites
  • 0
Draconian Guppy

Wait. You didn't sign up for the service, but you still went to the website and used your email to reset the password? :blink:

 

+1 you crazy!

 

 

Why I don't understand is, why you followed up on this email, I would have just deleted it unless personal data were compromised? Or call them directly instead of keep using your personal data for login in, etc.

Link to post
Share on other sites
  • 0
+E.Worm Jimmy

Wait. You didn't sign up for the service, but you still went to the website and used your email to reset the password? :blink:

Regardless, if you didn't sign up for the service or you don't use it, I would just consider it spam and leave it at that. Since you haven't provided them with any details (banking and such, as now they have your email even if they were just guessing at the beginning) then it would seem that there is little they can do other than send you further emails.

 

you can close this thread now.   not much too tell really.    i better just spam anything like that, but i really though it was a genuine issue for a second there.  silly me.

+1 you crazy!

 

 

Why I don't understand is, why you followed up on this email, I would have just deleted it unless personal data were compromised? Or call them directly instead of keep using your personal data for login in, etc.

the only personal data is the email which they have already.   

Link to post
Share on other sites
  • 0
+Dick Montage
i used password1

 

Phew :)

 

So look - how spam works (all numbers are fictional but the point stands):

 

You have a list of 10,000 potential email addresses - all unverified - this list is worth 10,000 (

  • Like 1
Link to post
Share on other sites
  • 0
+E.Worm Jimmy

Phew :)

 

So look - how spam works (all numbers are fictional but the point stands):

 

You have a list of 10,000 potential email addresses - all unverified - this list is worth 10,000 (

  • Like 2
Link to post
Share on other sites
  • 0
TAKEITBILL

From the way it went it seems spam but did you used PAYTM form india for recharging prepaid phones?

WHY?

have you been to INDIA recently? 

Link to post
Share on other sites
  • 0
+E.Worm Jimmy

From the way it went it seems spam but did you used PAYTM form india for recharging prepaid phones?

WHY?

have you been to INDIA recently? 

 

 

no, but i do use some other payment services to send money to people in other countries.

i also have a couple of good indian friends and i know a lot of of india people in my city. so i assumed maybe it was a service i once used and forgot about.  

Link to post
Share on other sites
  • 0
TAKEITBILL

no, but i do use some other payment services to send money to people in other countries.

i also have a couple of good indian friends and i know a lot of of india people in my city. so i assumed maybe it was a service i once used and forgot about.  

That website looks totally legit to me. it has visa checkout, master secure and they even support  blackberry, windows phone and java phones, that's more than amazon supports. I think your are fine.  

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By zikalify
      Vodafone and Accenture team up to offer SMEs cybersecurity services
      by Paul Hill



      Vodafone has announced a partnership with Accenture to help get small and medium-sized enterprises (SMEs) set up with better cybersecurity. The announcement comes just two months after Vodafone called on the government to reduce the rate of VAT on cybersecurity products for SMEs down to just 5%.

      The two firms have created the Vodafone Managed Security Services portfolio that includes a number of tools to protect and help the recovery of firms affected by cyberattacks, something which has been on the increase since the UK locked down last year. The new portfolio includes Cyber Exposure Diagnostic (CED), Penetration Testing/Vulnerability Assessment, and Phishing Awareness.

      With Cyber Exposure Diagnostic, businesses can better understand how they would fare against a cyberattack and identify where attacks are most likely to happen in their setup. The Penetration Testing/Vulnerability Assessment offering will conduct simulated attacks on IT infrastructure to identify vulnerabilities before they're actually exploited. The Phishing Awareness service helps businesses educate staff on phishing attacks, adding an extra layer of defence.

      Commenting on the partnership, Anne Sheehan, Business Director at Vodafone UK, said:

      Vodafone has said that its security portfolio will soon be expanded with Breach Response, Forensic Services, Managed Detection and Response, and Managed Firewall. In addition, those that sign-up for the services will get round-the-clock access to Vodafone’s and Accenture’s teams of analysts and cyber specialists. To learn more, head over to the Managed Security Services product page.

    • By Usama Jawad96
      Microsoft warns of widespread gift card scam targeting organizations
      by Usama Jawad

      Multiple types of security threats exist today including cryptojacking, malware, ransomware, phishing and more. Many of them use emails as attack vectors to lure in targets into sharing personal information or tricking them into installing malicious software on their devices. Today, Microsoft has issued an advisory against a widespread gift card scam that is targeting organizations.

      Image via Shutterstock Attackers are utilizing business email compromise (BEC), which is a phishing technique to get access to business information or to steal money. In this particular campaign, attackers are targeting various industries including real estate, consumer goods, agriculture, and more by using typosquatted domains to trick recipients into thinking that they legitimately come from people they know.

      Microsoft has outlined a classical example of a BEC gift card scam where an executive assistant receives an email from their boss saying that they want to reward their employees for their efforts during the pandemic, so the executive should immediately buy some gift cards and respond to the email with the codes so they can be shared among the team. The assistant does so, and eventually finds out that their boss never sent the email in the first place.

      That said, Microsoft notes that the attack mechanism is not as simple as it appears. Attackers typically conduct detailed reconnaissance activities about the person they are impersonating, their target, and the company in general. Message headers occasionally contain a false "Re:" to indicate a prior conversation as well as typosquatted domains in reference headers that appear legitimate at first glance. Meanwhile, message bodies sometimes directly address the target with demands, and at other times they begin with small talk with a hint that they have a task for the target - the task being purchasing gift cards or making wire transfers for whatever reason. An example can be seen below:

      Image via Microsoft Microsoft noted that after a successful attack, impersonators typically visit websites which allow them to convert gift card codes to cryptocurrencies or other foreign currencies untraceably. The chances that this is part of a coordinated campaign is high considering that Microsoft observed impersonation of 120 organizations using typosquatted domains which were registered just a few days prior to attacks. The company went on to say that:

      As usual, Microsoft has recommended that organizations use Microsoft Defender for Office 365 which can detect potential attacks, identify user and domain impersonation, and increase aware among employees, among other things.

    • By Usama Jawad96
      Microsoft announces Counterfit, an automation tool for security testing of AI systems
      by Usama Jawad

      Cybersecurity is at the forefront for Microsoft given increasing cyberattacks by sophisticated but malicious actors. The company is constantly updating its security infrastructure to protect itself against threats and advises its partners to do the same.

      One overlooked aspect of an organization's tooling is typically the security of their AI systems. Microsoft plans to address this with the release of a new tool called Counterfit.

      Image via The Indian Express Counterfit is an open source tool created by Microsoft to automate the security testing of an organization's AI systems. The ultimate goal is to give high confidence to companies that their artificial intelligence systems are robust and reliable, given how heavily they are used in various industries. Microsoft notes that out of the 28 organizations it surveyed, 25 felt that they didn't have the right mechanisms in place to protect AI systems and their security professionals are not well-equipped to handle threats against them.

      Counterfit originally began as a set of scripts that could be used to attack AI models. Microsoft first used it in its own internal testing, but now, Counterfit has evolved to act as an automation tool that attacks multiple AI models at scale. The company says that it has become a staple tool of its own AI red team operations who use it to perform and automate adversarial security testing of AI services currently in development and production.

      The benefits of using Counterfit are that it is environment-, model-, and data-agnostic. This means that it can be used on-premises, on the edge, in the cloud to test any kind of AI model that depends upon input data in virtually any form including text and images.

      Microsoft has indicated that Counterfit is easy to use for security teams who utilize Metasploit or PowerShell Empyre. It can be used for penetration testing and vulnerability scanning, and it also logs attacks to AI models so data scientists can utilize its telemetry to further enhance the security of their AI systems.

      You can head over to the open source project's GitHub page here to learn more about Counterfit and how you can deploy it at your organization.

    • By Usama Jawad96
      Google banned over 100,000 malicious developers in 2020
      by Usama Jawad

      The Play Store is not exactly known for its security, but Google continually makes efforts to improve the overall situation. To that end, the company has now disclosed the various methodologies it used to fight malicious apps and developers in 2020, and has shared some accompanying statistics as well.



      In 2020, over 100 billion installed apps were scanned by Play Protect on a daily basis. Play Protect was introduced back in 2017 to give users more visibility over Android security. With 2020 being a particularly difficult year due to growing fake news, U.S. elections, as well as people scrambling to find reliable information regarding COVID-19 and vaccines, Google took several steps to ensure that apps do not harm users via misinformation.

      Among these was the requirement that apps dealing with sensitive use-cases such as displaying information about COVID-19 testing sites should meet a high-level of user data privacy and should be endorsed by government or healthcare authorities. New guidelines were introduced for apps which market themselves as "News" to improve transparency for users of the Play Store. Finally, specific teams and processes were put in place to focus on U.S. elections and to prevent related abuse via the Play Store.

      Google's machine learning algorithms stopped over 962,000 apps from release on the Play Store because they violated certain policies. In the same vein, 119,000 malicious and spammy developer accounts received the banhammer.

      Other enhancements include the review of all apps requesting access to location in the background and enforcing developers to provide user benefit when they request this information. Apps which do not follow these guidelines will be removed from the Play Store. Google plans to disclose more information about this process soon.

      Lastly, the company also released a new tab in the Play Store containing "Teacher approved" apps, containing recommendations from academic experts and advisors.

      Google says that it will continue investing in efforts that prevent malicious content from being distributed in the Play Store. The company hopes to build and sustain trust not only with users, but developers as well. It noted that its enforcement actions in the past year have resulted in increased developer satisfaction and a reduced number of appeals overall.

    • By Usama Jawad96
      All major Microsoft services will exclusively use SHA-2 from next month
      by Usama Jawad

      Secure Hash Algorithm 1 (SHA-1) is a 25-year-old method of generating hashes using a cryptographic function. Google successfully managed to demonstrate the weaknesses of the algorithm in 2017 and major browsers also began to block websites using SHA-1 certificates. Similarly, Apple dropped support for it in 2019.

      Microsoft has announced that all its major services and processes will be exclusively using SHA-2 from next month.

      Background image of micro circuit with binary code via Shutterstock As the name suggests, SHA-2 is an enhanced version of SHA-1, and is more secure and performant. As such, Microsoft will allow the SHA-1 Trusted Root Certificate Authority (CA) to expire, and all major processes such as TLS certificates, file hashing, and code signing will exclusively use SHA-2 from May 9, 2021 at 4PM PT.

      This move is not particularly surprising considering that in 2019, Microsoft enforced Windows updates signing via SHA-2 and deprecated SHA-1 signed content from the Download Center in late 2020 too.

      Microsoft says that the expiration will only impact SHA-1 certificates that are linked to the associated Root CA. However, certificates that are manually signed using SHA-1 by enterprises themselves will not be impacted. That said, it is obviously recommended that organizations migrate to SHA-2 as well.

      Overall, the Redmond tech giant considers the move to be quite "uneventful" as it says that it has done full-fledged testing of major applications and potential issues. Regardless, if organizations face problems, they are recommended to peruse Microsoft's dedicated support article or reach out to the firm's technical teams.