This is the email that we received from the scammer.

Note that it looks normal, including return email (to paypal.com) and pictures. The ONLY exception is the link at “Click here to update your PayPal account information”, which links to “http://0x48.0x04.0xaf.0x6d/www.paypal.com/index.htm”.

This is not a link to paypal.com!. That is all they need to get your account information.

Full email
Return-path: &lt;service@paypal.com&gt;
Delivery-date: Sat, 25 Nov 2006 18:00:08 -0700
Received: from User ([]) by EXCHG2003.HVMail.local with Microsoft SMTPSVC(6.0.3790.211);
     Sat, 25 Nov 2006 20:01:25 -0500
Reply-To: &lt;service@paypal.com&gt;
From: “PayPal Service”&lt;service@paypal.com&gt;
Subject: IMPORTANT: PayPal Security Measures PP-052-CA-788
Date: Sun, 26 Nov 2006 03:00:09 +0200
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: &lt;EXCHG2003SU0hXCRQcq0000028d@EXCHG2003.HVMail.local&gt;