According to Eset researchers, the attack uses emails that look convincing and fake websites that look identical to the real PayPal website which tricks you into entering your login credentials and other personal information then submits to the attacker. Most often with phishing campaigns from non-native English speakers, you might notice grammar and syntax errors when you look deeper. The from email address may be spoofed or will show a different email domain which is not PayPal.
How is the phishing attack done?You receive an email purporting to be from PayPal stating they want to resolve an issue with your account. There has been some unusual activity on your account Etc. This should make an unsuspecting victim fall for the bait and want to secure his account and safeguard his money. There is a login button at the bottom of the email.
Once you click the login button, a real-looking web-page with a fake login screen that even has an SSL certificate to suggesting it’s authentic will be opened. The domain on the URL has nothing to do with PayPal sites. This URL should be a clue that its a scam. However, the catch is you won't be suspecting its a scam. Always watch-out for this.
How to protect yourselfFirst and foremost, do not click links in emails. Always type in the URL of the page you want to visit. With such PayPal phishing campaigns, type in paypal.com on your web browser then resolve any issues that may be have been highlighted even if you had received a legitimate email from PayPal.
You can hover your mouse on the link in the email without clicking it. At the bottom of the page the full URL should appear and should start with "http://www․paypal․com/" or "https://www․paypal․com/". You may find the URL appearing as a shortened link, don’t open it.
Passwords are the most common means of authentication and you need to choose good strong passwords which you keep confidential. For sites that offer 2-factor authentication as an extended authentication method, please make use of it. Check my other post on password security tips to help secure yourself.
It’s easy for unsuspecting people to be fooled by phishing campaigns, let this information raise awareness, should someone encounter such campaigns.
image credit: Christiaan008