...it is as phony as those Nigerian scams. You don't need to have anything but an email address to get these spoof messages. It doesn't matter if you have an account with anybody or his dog, and certainly doesn't matter if you have an account with the supposed firm. I get spoofs by banks I've never heard of threatening to terminate my non-existent account if I don't immediately go online to confirm my personal data. The more popular a site is (eBay and PayPal and the larger banks have LOTS of customers), the more likely that a phishing letter will use their credentials to try to get your attention. The phishers are simply playing the odds. Let's conservatively say that 5% of all internet users have a PayPal account for online shopping. A phisher buys a list with a million names and puts up this spoof message. That is 50,000 potential people who might be tempted to click on the link. Let's also conservatively say that only 5% of them are stupid or gullible or confused and actually follow through. OK, 2500 people just turned over their passwords, bank account info, personal ID, whatever. The percentages are probably higher... but that still is a lot of victims... and the phishers put out millions of these emails. Carolly