Phishing is commonly associated with spam emails, but it is not the only method of phishing as the PayPal text phishing scam below shows. Phishers use various methods to obtain sensitive information. Phishing threats could arrive by email, text message, instant messenger services, over the phone or even in the mail.

Phishing is arguably the biggest threat to businesses and consumers and can result in a malware infection, the encryption of files via ransomware, an email account being compromised, the theft of sensitive data such as credit/debit card numbers or bank account information. A successful phishing attack could prove incredibly costly as bank accounts could be easily emptied. For businesses, malware infections can be catastrophic and billions are lost to business email compromise phishing scams each year.

There are approximately 200 million PayPal users, which makes the online payment service particularly attractive for phishers. PayPal is one of the most world’s most commonly spoofed brands. If the brand is spoofed, there is a relatively high percentage that the phishing email or text message will be received by a person who has a PayPal account. Further, PayPal accounts usually contain money and they are linked to a bank account and/or credit card. Gaining access to PayPal credentials can see the account and linked bank account emptied.

Phishers use a variety of social engineering techniques to fool end users into installing malware or disclosing their login credentials and other sensitive information. Spam email may be the main method of attack, although the use of text (SMS) messages – often referred to as SMiShing – is growing. This method of phishing can prove more successful for the attackers. The PayPal text phishing scam below is much harder to identify as malicious as many of the PayPal email phishing scams that have been detected in recent weeks.

Beware of this Credible PayPal Text Phishing Scam

This PayPal text phishing scam, and several variants along the same theme, have been detected in recent weeks. The text message appears to have been sent from PayPal from a short code number.

The message reads:

Dear Customer,

Your account is currently under review. Please complete the following security form to avoid suspension: http://bit[dot]ly/PayPal_-no-sms.eu

Another message reads:

Dear Customer,

Your account is under review. Please fill in the following security form to avoid lockout: http://bit[dot]ly/_payPal__

This PayPal text phishing scam works because many people do not carefully check messages before clicking links. Click the link on either of these two messages and you will be directed to a website that appears to be the official PayPal website, complete with branding and the normal web layout. However, this is a PayPal text phishing scam. The websites that the messages direct recipients to are scam sites.

Those sites naturally require the user to enter their login credentials. Doing so just passes those credentials to the scammer. The scammer will then use those credentials to access an account, empty it of funds, and plunder the bank account(s) linked to the PayPal account. The password for the account may also be changed to give the attacker more time to make transfers and lock the genuine account holder out.

These scams are particularly effective on smartphones as the full URL of the site being visited is not displayed in the address bar due to the small screen size. It may not be immediately apparent that an individual is not on the genuine PayPal website.

This PayPal text phishing scam shows that you need to be always be on your guard, whether accessing your emails, text messages, or answering the telephone.

Don’t Become a Victim of an SMS Phishing Scam

The PayPal text phishing scam detailed above is just one example of how cybercriminals obtain sensitive information via text message. Any brand could be impersonated. Shortlinks are often used to hide the fact that the website is not genuine, as is altering the link text to mask the true URL.

To avoid becoming a victim of a SMiShing scam, assume any text message correspondence from a retailer or company could be a scam. If you receive a message – typically a warning about security – take the following steps.

  1. Access your account by typing in the correct URL into your web browser. Do not use the link in the message.
  2. Check the status of your account. If there is a freeze on your account, your account is under review, or it has been suspended, this will be clear when you log in.
  3. If in doubt, contact the vendor by telephone or send an email, again using verified contact information and not any contact details supplied in the text message (or email).
  4. Before logging in or disclosing any sensitive information online, check the entire URL to make sure the domain is genuine.

PayPal Email Phishing Scams

This PayPal text phishing scam is one of thousands of phishing campaigns targeting PayPal users, most of which arrive in inboxes.

PayPal email phishing scams can be highly convincing. The emails contain the familiar PayPal logo, the text in the message body is often well written with no grammatical errors or spelling mistakes, the footers contain all the information you would expect, and the font is the same as that used in genuine PayPal messages.

The purpose of PayPal phishing emails will vary depending on the campaign, although typically the aim is:

  • To fool someone into disclosing their PayPal username/email address and password combination
  • To obtain a credit/debit card number, expiry date, and CVV code
  • To obtain bank account information and other personal information to allow account access
  • To obtain a Social Security number and date of birth
  • To install malware – Malware can capture all the above information and more
  • To install ransomware – Ransomware encrypts files and prevents them from being accessed unless a ransom payment is made

PayPal phishing emails can be very convincing and virtually indistinguishable from genuine communications; however, there are often signs that suggest all may not be what it seems.

Some of the common identifiers of PayPal phishing emails have been detailed below:

  • The messages contain questionable grammar or spelling mistakes.
  • The hyperlink text suggests one domain, when hovering the mouse arrow over the link shows it directs the user to a different domain.
  • The message does not address the account holder personally and starts with dear PayPal user, user, or PayPal member instead of using the first and last name or the business name.
  • A link in the email directs the recipient of the message to a website other than the genuine paypal.com domain or local site – paypal.ca, paypal.co.uk for example.
  • The website the user is asked to visit does not start with HTTPS and/or does not have the green padlock symbol in the address bar.
  • The email requests personal information be disclosed such as bank account details, credit card numbers security questions and answers.
  • A user is requested to download or install software on their device.

HTTPS Does Not Mean a Website is Genuine

There has been a general push to get businesses to make the switch from HTTP to HTTPS by installing an SSL certificate. The SSL certificate binds a cryptographic key to an organization’s details and activates both the padlock sign and changes a website to start with HTTPS. This ensures that the connection between the browser and the web server is encrypted and secured.

If the website has a valid SSL certificate installed, it reduces the potential for snooping on information as its entered in the browser – credit card information for example. However, what an SSL certificate will not offer is a guarantee that information is safe and secure.

A website owned by or controlled by a cybercriminal could have valid SSL certificate and start with HTTPS and have a green padlock. Disclosing information on that site could see sensitive information handed to a scammer.

As more and more businesses have made the transition to HTTPS, so have cybercriminals. According to the Anti-Phishing Working Group’s (APWG) Q1, 2018 phishing activity trends report, 33% of all phishing websites now use HTTPS and have valid SSL certificates. HTTPS and a green padlock do not mean that a website is genuine.

Anti-Phishing Best Practices to Adopt

  1. Exercise caution when someone sends you a hyperlink in a text message or email. The sender may not be who you think it is. A contact or family member’s email account may have been compromised or their phone stolen or the email address may have been spoofed.
  2. Never open email attachments in unsolicited emails from unrecognized senders.
  3. Beware of any email that suggests urgent action must be taken, especially when there is a threat of negative consequences – your account will be limited or deleted for example.
  4. If in doubt about the genuineness of an email, do not click or open any attachments. Simply delete the message.
  5. Businesses should implement an advanced spam filter to prevent the majority of phishing emails from reaching inboxes.
  6. Businesses should also implement DMARC to prevent spoofing of their brands.
  7. Businesses should provide ongoing security awareness training to employees to teach the skills required to identify phishing emails and smishing attempts such as this PayPal text phishing scam.