The Latest PayPal Phishing Email Goes Beyond Your Login Credentials
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

The Latest PayPal Phishing Email Goes Beyond Your Login Credentials

Another day and another clever PayPal phishing scam to learn from to better protect yourself and your organization

“In this world, nothing can be said to be certain, except death, taxes, and PayPal phishing email scams,” said Benjamin Franklin. Don’t believe me? Google yourself. Okay, okay, he might have missed out on the PayPal phishing part, but you get the point.

Thanks to the huge incentive they have, fraudsters keep using PayPal’s name to fool users into doing something that they shouldn’t. This time, they’ve come up with a new phishing scam that uses PayPal as leverage — only this time, they’re also set their expectations high. ESET researchers in Latin America discovered this scam, which cybercriminals posing as the online payment service use to get users to provide other sensitive information, including:

  • access credentials
  • private information, including your mailing address
  • credit or debit card information
  • email account login information  

So, just how does this PayPal phishing email scam work?

Let’s hash it out.

How the Latest PayPal Phishing Email Scam Snares Victims

Presenting the Bait

Humans are funny animals. As a species, we possess the most complex type of brain and have an even more complex psychology working behind it. However, we tend to behave so predictably in certain situations. Hackers and scamsters understand this quite well, and they are exceptional at using this truth to their advantage. They do this through the use of phishing scams.

The latest PayPal phishing email scam is no different in this regard, except that it chooses a smarter way to go about it.

As it goes with most phishing scams, it all starts with an email. This email (somewhat) looks as if it has come from PayPal and instills fear by “informing” you of an unusual login from an unknown device. Then it tells you to secure your account to avoid any potential financial loss.

Here’s how it looks:

Screenshot: PayPal phishing email scam example from WeLiveSecurity by ESET
Image source: https://www.welivesecurity.com/wp-content/uploads/2019/12/Fig-1.png

Pulling the Rod

Once a user has been hooked, it’s time for the cybercriminal to pull the rod. In the context of this scam, once the user has clicked on the link provided in the email, they’re taken to a website that’s designed to look like PayPal’s official website. This web page, often written in poor English, tells you that they (PayPal) have noticed some unusual activity on your account and asks you to enter a captcha code to proceed further. One thing to note here is that instead of leading you straight to a (fake) login page, fraudsters ask you to enter a captcha code. Psychologically, this is a smart move. It’s like playing it “true” before bluffing in poker. All poker players would get this.

Another thing to note here is that the web page where you’re taken has a “secure” padlock in front of its URL bar. Users who’re educated to look for the padlock security indicator, will likely consider this website to be a safe website. Here’s how this web page looks:

Image source: https://www.welivesecurity.com/wp-content/uploads/2019/12/Fig-2-768×656.jpg

If you fall prey to this plot, you’re taken to a fake PayPal login page, and you’re asked to log into your account. This page looks exactly like the real PayPal login page. First, you’re asked for your user name, and then you’re asked for your password, just like you’re asked on the official PayPal website.

Image source: https://www.welivesecurity.com/wp-content/uploads/2019/12/Fig-3-768×492.png
Image source: https://www.welivesecurity.com/wp-content/uploads/2019/12/Fig-4-768×553.png

Once You’re Hooked: Going Beyond Your Credentials

You know what happens when you click on the Log In button after entering — er, giving away — your credentials, don’t you? However, your PayPal user information is not the only thing the phishers are after in this particular PayPal phishing scam. Once you log in, you’re asked to verify your account. Like the previous page, this page, too, is written in poor English. It prompts you to click on the Continue to PayPal button.

Once you click on that button, the next phase of this PayPal phishing email scam takes you to a series of web pages that ask you for your personal information such as home address and financial information. In the end, you’re once again asked to enter your PayPal credentials to “link an email account.” Check out the screenshots for the details.

Image source: https://www.welivesecurity.com/wp-content/uploads/2019/12/Fig-6-768×652.jpg
Image source: https://www.welivesecurity.com/wp-content/uploads/2019/12/Fig-7-768×634.jpg
Image source: https://www.welivesecurity.com/wp-content/uploads/2019/12/Fig-8-768×650.jpg
Image source: https://www.welivesecurity.com/wp-content/uploads/2019/12/Fig-9-768×643.jpg

Once you do all of this, then a message displays that tells you that you’ve successfully restored your account. However, this couldn’t be further from the truth — what you have done is virtually wrap up your identity into a nice, pretty little package and handed it over to the cybercriminal. Now, your information is available for them to misuse through various forms of fraud. That’s the outcome of the latest PayPal phishing email scam.

A Final Word

No matter how we curse hackers and fraudsters, we have to acknowledge that they’re quite smart (barring their English) when it comes to fooling us. They know our pain points, they know what our brains respond to specific situations, and they know how ignorant or unobservant we can be. We’re like fish taking the shiny bait they throw out to capture us. Now you know why they call it “phish”ing.

No matter how smart cybercriminals are, we can always be a step ahead of them. All we need is a little bit of cyber security awareness and to exercise our skills of observation. No phishing scam in the world can fool you if you are vigilant. Remember, a phisher is nothing more than a poor man’s magician.

Author

Jay Thakkar

After graduating from university with an engineering degree, Jay found his true passion as a writer…specifically, a cybersecurity writer. He’s now a Hashed Out staff writer covering encryption, privacy, cybersecurity best practices, and related topics.