Fraudsters are sending invoices via legitimate PayPal accounts in a new phishing campaign. As the email comes from service@paypal.com, the risk of falling for this scam is high.
PayPal has been a popular target of hackers and scammers for years, which is why customers regularly complain about ever new phishing attempts. Now, security researchers from Avanan have discovered a new campaign that takes advantage of PayPal’s payment system. The fraudsters create legitimate PayPal accounts through which they send payment requests to unsuspecting PayPal users. The e-mail sent informs the user that alleged fraudulent activity has been detected on the account and that he or she should call the telephone number given in order to obtain a chargeback or a cancellation of the payment. Otherwise, 699.99 US dollars would be debited within one day. The email originates from the official email address service@paypal.com and is therefore harmless itself. Therefore, it also bypasses any security measures such as DMARC, DKIM, and SPF and lands directly in the victim’s inbox.
This is exactly what makes this new phishing campaign so unique – and therefore dangerous. The legitimate sender of the email, i.e. PayPal’s payment system, means that many conventional security measures are not effective. In addition, the user is not so quickly suspicious of such a sender and is therefore more inclined to fall for the trick. The fact that it is extremely easy and cost-neutral to create new PayPal accounts also plays into the hands of the criminals. In addition, PayPal provides its users with tools to create professional-looking invoices.
Protection against the new campaign can only be provided by increased attention – and here the security researchers from Avanan point out several factors that should make you suspicious. The text of the payment request sent via PayPal is anything but professional, but full of grammatical and spelling mistakes. The telephone number given should also arouse suspicion, because it does not belong to PayPal at all, which a quick call would confirm. Otherwise, the usual rules for dealing with possible phishing attempts apply. These include not clicking on any links from an unknown source and not revealing any personal information or payment data. In addition, suspicious emails should also be reported to PayPal and forwarded so that the corresponding accounts are deactivated as quickly as possible. The payment service provider has set up the email address phishing@paypal.com for this purpose.
