Criminals trying to get confidential user-information – including credit-card data, user names, and passwords – have targeted online payment service PayPal.

On September 16, an email headed "PayPal Verification" was sent requesting users to log into their PayPal accounts "asap" to confirm they were still active users of the service.

The email read: "We are now requesting the password to the email address you signed up to PayPal with. This is to protect you and ourselves. PayPal will use this information for fraud protection only."

Recipients were then given a link that seemed to go to PayPal's secure site, but was actually a fake.

This email was followed by one marked "urgent" on September 25. That message, which arrived as an HTML email set up to resemble PayPal's Web site, said:

"Today we had some trouble with one of our computer systems. We've decided to take the troubled system offline and replace it with a new system. Unfortunately this caused us to lose some member data. Please follow the link below and log into your account to make sure your information is not affected."

The URL listed in the email took users to an official-looking site that asked for their personal data, including user name, password and credit card information.

PayPal spokeswoman Julie Anderson said the company hasn't had a problem with its site and said spoof sites are commonplace. She said the scam artists probably got hold of a database and sent messages to thousands of people hoping to hit some PayPal account holders.

When PayPal learnt of the scam it contacted the Internet service provider and asked it to remove the spoof sites.

PayPal also notified law enforcement agencies, including the FBI. However, Anderson said PayPal didn't notify its 18 million users of the problem.