Tis the season to be careful. That should be no surprise. Given that the online holiday shopping season is peaking, cybercriminals would be expected to ramp up their efforts as well.

But it might be a bit surprising - not to mention depressing for security evangelists - that one of the oldest and typical scams aimed at online buyers is still successful: PayPal email phishing.

Paul Ducklin wrote this week on Naked Security that Australian PayPal users are being targeted. But there is also word of the same thing happening in Ontario, Canada.

It won’t stop there. Chester Wisniewski, a senior security adviser at Sophos, noted that PayPal is used worldwide.”It is a global phenomenon. These guys are equal opportunity exploiters,” he said.

Even though the scam is common, Wisniewski said it remains successful. He said nobody but the criminals know just how successful they are, however. “Scams that aren’t working die quickly, so we can assume that these must work quite well considering the frequency that we see them,” he said.

Fred Touchette, a senior security analyst at AppRiver, said that “most victims shy away from admitting their losses except to perhaps their banking institution when attempting to recover their loss.”

And even if the number is relative small, phishers have succeeded, said Catalin Cosoi, chief security researcher at Bitdefender. “Attackers don’t need high rates of success, as phishing is just like handing out leaflets in the mall,” Cosoi said “If one gets two or three customers out of every 100, mission accomplished.”

The scam is by now familiar not just to security experts but to any reasonably savvy Internet user. It starts with a somewhat credible-looking email with the PayPal logo “acknowledging” a payment for something that the intended victim didn’t buy. It provides an embedded link inviting the recipient to click on it to dispute the charge.

“And that’s the ploy, of course,” Ducklin wrote. “Hovering over the ‘Press here to cancel this payment’ link should be enough to reveal the bogosity. You won’t be sent to PayPal but to a lookalike impostor site that helps itself to your login details.”