A new PayPal scam has been discovered and investigated by Bleeping Computer, a cybersecurity and technology news site.
The phishing attack aims to trick users into allowing remote access to their computers, by sending fake purchase notifications.
What makes this phishing tactic stand out is the fact that the attackers are using legitimate PayPal emails to do this, which means they will not be automatically caught by email spam filters, and the standard trick of reviewing the “From” sender email address will not reveal potential fraudulent actions.
How this new PayPal phishing scam works
An email is sent to you from the official PayPal email address, notifying you that a new address has been added to your PayPal account.
The phishing email includes what claims to be a purchase confirmation for a new MacBook M4 laptop, as well as a phone number to call if you did not authorise the purchase.
If a user calls the phone number provided in the email, they’ll get “PayPal support”, and then they’ll be connected with a “customer support person”, who in reality is just the scammer.
The scammer will try to scare the customer, by tricking them into thinking that their PayPal account has been hacked, and that the user needs to allow the scammer remote access to their computer so that the scammer can “restore access” to the hacked account.
Once scammers like this gain remote access to a customer’s computer, they can do various things, such as steal information from the computer, access bank accounts and steal money, or install malware on the computer.
Why this phishing scam is different
Most phishing scams typically rely on impersonating a company by cloning or mimicking an email address– creating a very similar version of a legitimate company’s email, or website –scammers buy domains that look similar to brands, for example: “paypall.com”, or “pypal.com”.
Email providers like Gmail and Yahoo often flag these fake emails/websites as spam or phishing attempts with large colourful banner warnings on the message, or even automatically filter these scam emails into a junk or “scam” folder for you. However, this newly discovered PayPal phishing address scam is different because these emails are coming directly from the official PayPal email address.
The sender of these scam emails is able to use the service@paypal.com email address, which means standard email account spam filters and warnings are not able to spot and catch these emails as potential scam/phishing attacks. This means more users are potentially being exposed to the scam.
How this new phishing email is sent directly from PayPal
It’s clear that, while the email is sent from the real PayPal, it contains information that attempts to trick the customers into handing over personal and financial information; how is that possible?
Bleeping Computer thoroughly investigated this new phishing scam, to find out just how the scammers are able to send an email using the official PayPal email address.
The scammer updated their “Gift Address” in their PayPal account. PayPal gift addresses don’t have a character limit, so the scammer was able to add an extra paragraph to the email, which includes the fake “Support” phone number.
If you look closely, you can see that the paragraph above the shipping address (as seen below) is spaced strangely, almost as if the paragraph is part of the address.
This is because it is. The scammer used the first line of the address to add the information about the MacBook M4 Max order, as well as the fake support phone number they want you to contact. Then, they added that, along with the rest of the address to their PayPal account, and were sent a valid “Address Update” email.
The scammer’s email address automatically forwards to a mailing list, which includes the email addresses of their potential targets, so the targets receive the email from PayPal, as shown in the chart below:
Under normal circumstances, you’d see a header in a forwarded email, indicating that it’s been forwarded, however, since the email was forwarded to a mailing list, it doesn’t have the same “forwarded” header message, making it seem as if it was sent directly from PayPal to the target.
How to avoid the new PayPal Address phishing scam
Once you know what to look for, the scam is pretty easy to spot.
To avoid falling victim to this phishing attempt, or similar email-based phishing scams, we always suggest if you receive an email from a company, and you’re unsure if it’s valid, either log in to your account with that company or contact them by going directly to their website. Do not follow any links in the email.
By contacting the company directly, and not using any contact information provided in the suspicious email, you are much more likely to contact the real company, who will be able to give you all the necessary information and recommended next steps to take with the email.