Article contributed by Ethan Fite
Phishing scams are evolving, and threat actors continue to adapt their methods to exploit trusted brands and platforms.
One of the latest trends we’ve observed at Cyderes is a sophisticated phishing scam leveraging PayPal’s legitimate email system to send fraudulent money requests. These requests aim to manipulate and scare victims into calling fake “Fraud Alert” phone numbers, ultimately tricking them into divulging sensitive personal or financial information.
The Scam at a Glance
This phishing attempt uses PayPal’s legitimate money request feature to make fraudulent activity appear authentic. Here’s how it works:
1) Money Request Sent via PayPal: Threat actors utilize the official PayPal platform to send a money request email to their targets. This ensures the email comes directly from PayPal’s domain, making it less likely to be flagged by spam filters.
2) Deceptive Messaging: The scam includes a message in the text body of the request.
Some examples include:
a) “Fraud Alert: If you believe this to be in error, please contact (phone number).”
b) “If you notice any suspicious activity with this order, contact PayPal at (phone number) to verify. If we don’t hear from you, the transaction will be processed.”
The listed phone number does not belong to PayPal. Instead, it connects to the fraudsters posing as PayPal support agents.
3) Inducing Panic: The money request often includes a significant dollar amount to alarm the recipient. The combination of a large payment and the urgent “Fraud Alert” message pushes victims to act quickly, bypassing their usual caution.
4) Social Engineering via Phone: When victims call the fake “Fraud Alert” number, the threat actors use social engineering techniques to extract personal information, including:
- PayPal account credentials
- Credit card or bank account details
- One-time passwords (OTPs) or 2FA codes
Why This Scam is Effective
Leveraging Trust in PayPal
PayPal is a globally recognized and trusted brand. By using its official system, the scammers bypass common red flags like fake sender domains or poorly crafted emails.
Emotional Manipulation
The urgency of a “Fraud Alert” combined with a substantial dollar amount preys on fear and confusion. This psychological pressure encourages victims to act impulsively.
Authentic Appearance
Because the email is legitimately sent from PayPal, even vigilant users may be fooled into thinking the request is legitimate. The scam exploits the assumption that communications from PayPal are always secure.
How to Spot and Avoid This Scam
Verify the Request: Log in to your PayPal account directly through the app or official website to confirm the validity of the money request. Do not rely on the email alone.
Ignore Unfamiliar Phone Numbers: PayPal’s genuine support contact information is always listed on its website or at the footer of their emails. If the “Fraud Alert” phone number doesn’t match, it’s likely a scam.
Avoid Calling Numbers in the Email: Instead, independently look up PayPal’s official customer service number to verify any suspicious activity.
Check the Content of the Request: Legitimate fraud alerts from PayPal will never include requests to call a phone number for further action. They guide users to secure their accounts online.
Enable Security Measures:
- Activate Two-Factor Authentication (2FA) on your PayPal account.
- Use strong, unique passwords.
- Regularly monitor your PayPal account activity for unauthorized transactions.
What to Do If You’ve Fallen Victim
If you’ve called the fake number and shared sensitive information, take immediate action:
Change Your PayPal Password: Log in to your account and update your credentials.
Enable 2FA: Add an extra layer of security to your account.
Monitor Financial Accounts: Check your bank statements and credit card accounts for unauthorized transactions.
Report the Incident:
- Report the scam to PayPal by forwarding the email to spoof@paypal.com.
- File a report with the Federal Trade Commission (FTC) via ReportFraud.ftc.gov.
Recommendations for Organizations
Educate Employees and Customers
Awareness is the first line of defense. Train employees to recognize phishing attempts and advise customers on how to verify legitimate communications from your organization.
Collaborate with Vendors
Work closely with vendors like PayPal to report scams and ensure they’re actively mitigating risks in their systems.
Deploy Advanced Threat Detection
Use advanced threat intelligence solutions to monitor phishing trends and preemptively address emerging tactics.
Implement Email Filtering
Use advanced email security solutions to detect and block unauthorized or risky emails associated with PayPal activity:
Email Security Gateways
Configure email filtering solutions (e.g., Proofpoint, Mimecast) to detect and quarantine emails containing PayPal domains (e.g., @paypal.com) and specific keywords (e.g., “Fraud Alert:”).
Investigate User Reported Emails for SEG Misses
Ensure that malicious emails that bypass SEG detection and are reported by employees are being triaged and reviewed. These emails can be identified here to search/quarantine from the rest of the environment. Cyderes can assist with this service to ease the burden on companies.
Conclusion
The PayPal money request phishing scam highlights the importance of staying vigilant against evolving cyber threats. By exploiting trusted platforms and leveraging social engineering tactics, threat actors continue to target both individuals and organizations.
Cyderes remains committed to combating these threats through proactive monitoring, education, and cutting-edge cybersecurity solutions.
For more insights and updates on phishing trends, stay connected with Cyderes. Together, we can build stronger defenses against cybercrime.
Ready to put these insights into practice and improve your ongoing security posture?
For more cybersecurity tips, follow Cyderes on LinkedIn and X.
