PayPal phishing attack

Watch out for this triple threat PayPal phish

ZDNet reports an interesting form of PayPal scam sent to one of their own writers. The scam is a so-called “triple threat” phish, in that it gives the scammer three different ways to potentially collect some ill gotten gains from potential victims. The idea is that if one of the three tactics fails, there are two more waiting in the wings primed to take another swing at your digital wallet.

A genuine (but bogus) money request

For this phish attempt, the scammers make use of legitimate services to make it all look a bit more convincing. Why bother to set up a fake PayPal website, when you can just send a genuine request for money on the site itself?

The twist here is that the money request, weighing in at $699.99, comes with a note attached which is written as though it’s from a PayPal employee. It’s worth noting that the message is not written particularly well, which may clue in more than a few people receiving it. On the other hand, urgent requests for payment sprinkled with fraud attempt references will make some folks smash that “send money” button. Here’s the message in question:

“We have detected some fraudulently activities with your PayPal account. If you did not make this transaction, please call us as soon as possible at tool free number [removed] to cancel and claim a refund. If this is not the case, you will be charged $699.99 today. Within the automated deduction of the amount, this transaction will reflect on PayPal activity after 24 hours. Our service hours: (06:00 a.m. to 06.00 p.m. Pacific Time, Monday through Friday)”

This is not particularly sophisticated. If a scammer sends people a request for $600 and dresses it up with references to fraudulent transactions, then they’re going to lose a lot of victims via a final destination which presents recipients with “Send money” and “Cancel” buttons. Sure, some might hit “Send money” by accident. However, most of them will likely dodge this one.

Ramping it up

This is where stages two and three of the scam come into play. According to the PayPal support rep that the ZDNet writer talked to, the phone numbers are there to try and trick people who don’t initially fall for the somewhat overt “please send me money via this “Send money” fake out. The numbers may direct callers to international lines, where complying with the “press X number to continue” instruction ends up billing the caller with expensive premium rates.

Additionally, further numbers put potential victims through to the scammers directly. At this point, it’s all about social engineering personal details under the guise of a PayPal fraud department. They may try to extract payment information over the phone, or just grab as much personal data as possible for use at a later date.

Keeping your PayPal safe

PayPal offers several forms of security to help keep accounts safe.

  • You can enable two-factor authentication via mobile codes or authentication app.

  • You can also use a hardware security key, which plugs directly into your device.

  • PayPal checks for unusual activity and asks users to confirm that it is in fact the right person performing an action against an account.

  • Do you suspect unauthorised access where your account is concerned? You can contact PayPal directly about it.

Those are some of the PayPal specific options available to you. As for the human aspect of these attacks:

  • Don’t panic. Many phish attempts are almost entirely reliant on panicking you into doing something. Sometimes what they present you with doesn’t even make much sense, like the attempt above. The urgency is the key.

  • Never feel the need to call a number or visit a URL provided by an unsolicited email or message. Dig out the official contact information from websites you know to be genuine, and get in touch that way.

  • PayPal covers a lot of fraudulent tricks specifically used against users of its services, so spend some time familiarising yourself with them.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.