Twenty years ago, people didn’t feel safe shopping online. Then PayPal arrived and opened a new age of easy, secure transactions. PayPal’s founding fathers--the notorious “PayPal Mafia” of Peter Thiel, Elon Musk, Reid Hoffman, et al.--spent millions building one of the most iconic and trusted brands in existence to expand digital transformation of retail shopping. Ironically, that brand recognition and hard-earned trust are now being exploited by bad actors in PayPal phishing email scams.Their phishing attacks cheat victims by spoofing the brand they trust in a barrage of emails mimicking trusted PayPal notifications. Bad actors use spray-and-pray as a strategy, knowing their phishing scams will eventually reach someone who uses and trusts the ubiquitous service. And trust raises the likelihood they’ll give out valuable information. (Find out how to equip employees with the knowledge to defend themselves and protect the organization via phishing awareness training software).
There are several different types of attacks, but the most common ones involve updating account details or resolving payment issues. These can be especially deceptive to a frequent PayPal user, who is used to being asked to give out such sensitive data and is thus ready to provide it again.Other attacks target people who use PayPal often enough that they may lose track of all their orders. They can be juicy targets for scam messages about payment issues, like in the below phishing message:
Although it’s formatted fairly well, the above example’s text isn’t perfect. But when convincing landing pages are added to these convincing-enough emails, it’s a recipe for disaster. Here is an example of a clever landing page where the user is asked to give out basically every essential piece of information needed for full access to their account and all its money:
Here’s what happens in the video:
PayPal isn’t the only service being spoofed like this, of course. Today, there are many different services for online financial transactions, and some people might use several. This can make it harder to keep track of all the activity on their multiple accounts across different platforms. Because of this, they might fall for a phishing message more easily. They might be unsure of what is suspicious and what is legit, and just click things without a second thought.
Also, these services sometimes receive updates to the interface, so it is not uncommon for a site to look a bit different than it did the last time, and the user might not think too much of it as they just start entering credentials. When a convincing story on why the user must enter their credentials or other sensitive info to the site is added to the mix it can do a lot of harm.
It is important to stay calm and think things through when a familiar service asks you to take action on your account. Hover over links before clicking. That should help you see what’s really going on, who you are really dealing with, and why.
The Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more on how to equip your employees with the knowledge to protect your company from phishing scams.