Paypai (capitalised as
PayPaI) is a phishing scam, which targets account holders of the widely used internet payment service, PayPal, taking advantage of the fact that a capital "i" may be difficult to distinguish from a lower-case "L" in some computer fonts. This is a form of a homograph attack.
The scam involves sending PayPal account holders a notification email claiming that PayPal has "temporarily suspended" their account. Instead of linking to PayPal.com, the site references in the email link to a convincing duplicate of the site at paypai.com, in the hope that the user will enter their PayPal login details, which the owner of paypai.com can then store and use.
Paypai was first active in mid-2000. It sent account holders of PayPal bogus payment receipt notifications, mimicking those sent by PayPal, indicating that the account holder had received a large payment and directed recipients to paypai.com through a link in the message.
The site, paypaI.com, was an exact replica of the HTML source code and images that PayPal uses on its home page. While devious, this was not difficult, since the HTML and images are downloaded for display whenever a user visits a website. The site was registered with Network Solutions to a "Birykov" in South Ural, Russia.
At the time, MS Sans Serif, a font similar to Arial that rendered capital "i" and lowercase "L" almost identically, was the default font in the address bar on most Windows applications. When Windows XP was released in 2001, Tahoma became the default; Tahoma places serifs on the capital "i" to easily distinguish it from lowercase "L".
- Knowles, William (July 22, 2000). "Scam artist copies PayPal Web site". Information Security News mailing list archives. SecLists.Org. Retrieved February 18, 2012.
- Sullivan, Bob (July 24, 2000). "PayPal alert! Beware the 'PaypaI' scam". ZDNet UK. Retrieved February 18, 2012.
- Mustaca, Sorin (February 12, 2011). "Old tricks, new language: "Paypai" in German". TechBlog. Avira GmbH. Retrieved February 17, 2012.
- MinnieApolis (January 27, 2012). "New Twist on PayPaL Phishing is from PayPaI (with an i)". Newsvine. Retrieved February 17, 2012.