Fake PayPal email phishing scam hijacks accounts

There's a new PayPal email scam using a legitimate PayPal email address and website to trick people into giving up their account details. (c) ConsumerAffairs

The scam uses PayPal's real email and website

A clever new email phishing scam can hijack a victim's PayPal account.

The email requesting money uses a legitimate sender email address from "service@paypal.com" and a link to PayPal's real website, but if a victim signs on to see check the request, their PayPal account can be stolen, said Carl Windsor, senior vice president at cybersecurity company Fortinet, writing in a blog post on Wednesday.

"This recent example immediately set off alarm bells," he said. "A panicked person may be tempted to log in with their account details, but this would be very dangerous."

Photo
Photo

The scammers registered a test domain through Microsoft 365 to create the distribution list that shows up as the email it is sent to and not a victim's actual address, which is a telltale sign this is a scam, Windsor said.

In the example Windsor found, the sender is "billingdepartments1[@]gkjyryfjy876.onmicrosoft.com."

Once a victim logs in, even if just to get more details on the request, Windsor said their PayPal details can be linked to the distribution email and scammers can steal the account and avoid PayPal's detection.

"The scammer can then take control of the victim's PayPal account—a neat trick," Windor said. "It’s so neat, in fact, that it would sneak past even PayPal’s own phishing check instructions."

Photo

How to avoid this new PayPal email scam?

The best way to avoid this scam is to be a "human firewall," someone who is trained to be cautious of any unsolicited email regardless of how legitimate it looks, Windsor said.

"The beauty of this attack is that it doesn’t use traditional phishing methods," Windsor said. "The email, the URLs, and everything else are perfectly valid."

What can PayPal and Microsoft do about these scams?

PayPal and Microsoft should be doing more to prevent scammers from using their platforms, including looking for malicious links and callback numbers to rogue call centers, said Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4.

"Legitimate services being used by scammers need to aggressively look for the signs of malicious use," he said. "I don't think vendors scrutinize participants enough to prevent these sorts of scams."

A spokesperson for PayPal told ConsumerAffairs that the company "takes pride in our work to protect our customers from evolving scams and fraud activity, including this common phishing scam."

"We encourage customers to always remain mindful online, especially this time of year, and to visit PayPal.com for additional tips on how to protect themselves," the spokesperson said.

PayPal is known to investigate fraud, limit scam accounts and decline risky transactions.

Phishing scam emails can be forwarded to PayPal's security team at phishing@paypal.com. 

Microsoft declined to comment.

"Any message, no matter how it arrives, no matter how legit it looks, with those two traits, should be investigated using trusted methods not involving anything communicated in the message before performing the requested action," Grimes said. "Teach and drill that into your own behavior and teach others as well."

Screenshots courtesy of Fortinet.