The holidays are upon us, and so it is to remind ourselves once again of just how much cyber criminals enjoy playing on the very fears of consumer fraud they elicit. If the last thing you want interrupting your time with friends and loved ones is a slew of fraudulent bank charges, you’ll need to keep your wits about you.
As you read this, an illicit campaign is underway to deceive PayPal users into believing recent transactions they’ve made “could not be verified.” In emails bearing PayPal’s logo, consumers are warned that PayPal has detected suspicious activity on their accounts and that the company requires updated information to avoid fraudulent charges.
This is a classic phishing scam, one you should become accustomed to recognizing on sight.
Now, you can skip the rest of this article if you’re able to follow one simple instruction: Never login or provide any information to a website that you reach by clicking on a link sent to you by email, no matter how official or authentic it seems. If you get an email warning you about a security issue, pop open a new tab, manually type the company’s URL in yourself, and proceed from there. Treat all links sent to you by email—as well as files, for that matter—with the utmost suspicion, always.
That’s not paranoia. It’s just common sense.
On Friday, this latest of the many, many PayPal scam out there was detected by Christopher Boyd, a malware analyst at FaceTime Security Labs. In screenshots published by Boyd on the website of Malwarebytes, you can see how the fairly convincing scam unfolds.
At first glance, the fake email account alerting users lookxs real. It appears to originate from “firstname.lastname@example.org,”b ut that’s just what the scammers typed in as their name. It’s not the actual email address from which the message originates. One subject line reads: “[New Transaction Statements] we’re letting you know : We couldn’t verify your recent transactions”. Another says: “You payments processed cannot completed.”
You might think that anyone would surely notice the broken English and misuse of punctuation and think, “Gee, that seems strange.” Sadly, I can assure you that many people out there are not so scrutinizing, nor is falling victim to a phishing campaign nestled in the forefront of their mind. Below is a copy of one of these fake emails for reference. All said, it’s pretty authentic looking.
When the target clicks on the link to verify their information, they’re quickly shuttled to a fake PayPal website at the following URL:
https://myaccounts-webapps-verify-updated-informations [dot] epauypal [dot] com/myaccount/e6abe
A message on the page, which is also pretty terribly written, warns that in order to return “your account to regular standing” you’ll need to verify a few personal details. (A fake “case ID” number is also provided.)
You’ll eventually find yourself on a page that requests your full name, address, date of birth and mother’s maiden name—everything short of a Social Security number that a person would need to effectively steal your identity. It also requests that you enter your credit card information, including the full number, expiration date and security code.
“Sadly, anyone submitting their information to this scam will have more to worry about than a fictional declined payment, and may well wander into the land of multiple actual not-declined-at-all payments instead,” writes Boyd, noting that despite how obvious this scam appears to people accustomed to being targeted by phishing scams, there will “always be someone who panics” and starts coughing up their personal and financial data.
Spotting a phishing campaign can be difficult, but PayPal has outlined a number of things to watch out for and the first is a false sense of urgency: “Many scam emails tell you that your account will be in jeopardy if something critical is not updated right away,” the company says.
If you think you’ve been targeted by scammers purporting to be PayPal, you should forward the entire email to email@example.com, subject line intact.