The scam uses PayPal's real email and website
A clever new email phishing scam can hijack a victim's PayPal account.
The email requesting money uses a legitimate sender email address from "This email address is being protected from spambots. You need JavaScript enabled to view it." and a link to PayPal's realwebsite, but if a victim signs on to see check the request, their PayPal account can be stolen, said Carl Windsor,senior vice president atcybersecurity company Fortinet, writing in a blog post on Wednesday.
"This recent example immediately set off alarm bells," he said. "A panicked person may be tempted to log in with their account details, but this would be very dangerous."
The scammers registered a test domain through Microsoft 365 to create the distribution list that shows up as the email it is sent to and not a victim's actual address, which is atelltale sign this is a scam, Windsor said.
In the example Windsor found, the sender is "billingdepartments1[@]gkjyryfjy876.onmicrosoft.com."
Once a victim logs in, even if just to get more details on the request, Windsor saidtheir PayPal details can belinked to the distribution email and scammers can steal the account and avoid PayPal's detection.
"The scammer can then take control of the victim's PayPal accounta neat trick," Windor said. "Its so neat, in fact, that it would sneak past even PayPals own phishing check instructions."
How to avoid this new PayPal email scam?
The best way to avoid this scam is to be a "human firewall," someone who is trained to be cautious of any unsolicited email regardless of how legitimate it looks, Windsor said.
"The beauty of this attack is that it doesnt use traditional phishing methods," Windsor said."The email, the URLs, and everything else are perfectly valid."
What can PayPal and Microsoft do about these scams?
PayPal and Microsoft should be doing more to prevent scammers from using their platforms, including looking for malicious links, callback numbers to rogue call centers, saidRoger Grimes, data-driven defense evangelist at cybersecurity company KnowBe.
"Legitimate services being used by scammers need to aggressively look for the signs of malicious use," he said. "I don't think vendors scrutinize participants enough to prevent these sorts of scams."
A spokesperson for PayPal told ConsumerAffairs that the company "takes pride in our work to protect our customers from evolving scams and fraud activity, including this common phishing scam."
"We encourage customers to always remain mindful online, especially this time of year, and to visit PayPal.com for additional tips on how to protect themselves," the spokesperson said.
PayPal is known to investigate fraud, limit scam accounts and decline risky transactions.
Phishing scam emails can be forwarded to PayPal's security team This email address is being protected from spambots. You need JavaScript enabled to view it..
Microsoft declined to comment.
"Any message, no matter how it arrives, no matter how legit it looks, with those two traits, should be investigated using trusted methods not involving anything communicated in the message before performing the requested action," Grimes said."Teach and drill that into your own behavior and teach others as well."
Screenshots courtesy of Fortinet.
Photo Credit: Consumer Affairs News Department Images
Posted: 2025-01-09 23:53:43
