A PayPal phishing scam was first detected in  2019 – the scam used unusual activity alerts as a lure to get users to login to PayPal to secure their account. This is a common tactic that has been used to steal PayPal credentials before, but this campaign was different as the attackers are after much more than just account credentials. This PayPal phishing campaign stole credentials, credit card details, email addresses and passwords, and security questions and answers.

This PayPal phishing scam  has mutated over the years and has proved to be one of the most dangerous to date in terms of the financial harm caused. PayPal accounts can be drained, credit cards maxed out, sensitive information can be stolen from email accounts, and email accounts can be then used for further phishing scams on the victim’s family members, friends, and contacts.

How these Phishing Attacks Work

The PayPal phishing scams usually start with a warning designed to get the recipient to take immediate action to secure their account. They are informed that their PayPal account has been accessed from a new browser or device. They are told PayPal’s security controls kicked in and as a result, the user is required to login to their account to confirm their identity and remove limitations that have been placed on the account.

The email points out that PayPal could not determine whether this was a legitimate attempt to access their account from a new browser or device, or a fraudulent attempt to gain access to their PayPal Account. Either way, action is required to confirm their identity. A link is included to allow them to do that.

If the link is clicked, the user will be directed to a fake PayPal website where they are required to login to restore their account. In this first stage, PayPal account credentials are obtained.  The user is then directed to a new page where they are asked to update their billing address. In addition to their address, they are also asked for their date of birth and telephone number.

The next page asks for their credit card number, security code, and expiry date, which it is claimed will mean they do not need to re-enter that information again when using PayPal. They are also then asked to confirm the details in a second step, which is an attempt to make sure no errors have been made entering credit card information.

The user is then taken to another page where they are asked for their email address and password to link it to their PayPal account. After all the information has been entered, they are told the process has been completed and their account has been secured and successfully restored.

All of these phishing pages have the feel of genuine PayPal web pages, complete with genuine PayPal logos and footers. The domains used for the scam are naturally fake but have some relevance to PayPal. The domains also have authentic SSL certificates and display the green padlock in the browser.

Security experts are still finding fake paypal websites that impersonate PayPal. Using advanced social engineering techniques they try to trick users into handing over sensitive data including log in credentials.

Discover how SpamTitan blocks phishing threats with a free demo.
Book Free Demo

Read more on current phishing scams and how to prevent attacks.



Rising Number of COVID-19 Phishing Attacks

IT professionals are seeing an enormous number of Covid-19 themed email phishing attacks. SpamTitan  is blocking increasing levels of  these phishing emails. What started out as  dozens of Covid 19 phishing websites has morphed to tens of thousands – more are being identified and blocked daily.  With a large percentage of the workforce working from home, cybercriminals are trying to capitalize on the heightened anxieties of the public during the current crisis.

COVID-19 phishing scams are the most sophisticated versions of phishing emails the industry has seen. Are your employees and customers aware and are they protected?

COVID-19 vaccine scams

Cybercriminals are now shifting their focus to phishing email around Covid-10 vaccines.  These vaccine themed phishing emails use subject lines referencing vaccine registration, locations to receive the vaccine, how to reserve a vaccine, and vaccine requirements.

For your employees looking for vaccination information on company devices the consequences are obvious. If the user falls for the scam email they may divulge sensitive or financial information,  open malicious links or attachments exposing the organization to attack. These phishing campaigns are sophisticated and may impersonate trusted entities, such as health or government agencies playing a central role in the COVID vaccination rollout.

Preventing Phishing Attacks

Naturally you should take any security warning you receive seriously, but do not take the warnings at face value. Google, PayPal, and other service providers often send security warnings to alert users to suspicious activity. These warnings may not always be genuine and that you should always exercise caution.

The golden rule? Never click links in emails.

Always visit the service provider’s site by entering the correct information into your web browser to login, and always carefully check the domain before providing any credentials.

Discover how SpamTitan provides phishing protection with a free demo.
Book Free Demo

Phishing Protection

Without the right security tools in place, organizations are vulnerable to phishing attacks.  SpamTitan provides phishing protection by scanning all inbound email in real-time. SpamTitan searches for key indicators in the email header, domain information, and content and performs reputation analysis on all email links, ultimately blocking malicious emails before they reach the end-user.

SpamTitan checks every URL in an email against known blacklists - with 100% active web coverage. SpamTitan's sandboxing feature protects against sophisticated email attacks by providing a powerful environment to run in-depth analysis of unknown or suspicious programs.

Phishing attacks are increasingly complex and growing in number. One of the most effective ways to protect against phishing scams is with a powerful email security solution such as SpamTitan.  SpamTitan utilizes an array of anti-phishing tools such as antivirus scanning, heuristic analysis, DMARC authentication and sandboxing.  Few vendors offer all of these solutions in one package.

To protect against advanced phishing threats you need advanced protection.

Take a closer look at SpamTitan today – sign up for a free demo at a time that suits you.

PayPal Phishing FAQs

How can I tell if an email from PayPal is genuine?

Generally speaking, emails originating from PayPal will always address you by your full name in capital letters – e.g., JOHN SMITH rather than John Smith. Also, PayPal will never ask for your bank account number, debit, or credit card number. It will also never ask for your full name, your account password, or the answers to your PayPal security questions in an email. If you have any concerns about an email from PayPal, forward the email to spoof@paypal.com where PayPal´s security experts will have a look at it and let you know whether or not it is genuine.

How does SpamTitan mitigate the threat of PayPal phishing scams?

There are several ways in which SpamTitan mitigates the threat of phishing scams. The most effective is DMARC authentication – an authentication process jointly developed by PayPal which leverages existing authentication processes (i.e., Sender Policy Frameworks and Domain Keys Identified Mail) to give domain owners control over emails sent from their domain names. DMARC authentication quickly identifies “spoof” emails claiming to be from PayPal and either rejects them or marks them as spam depending on how the authentication process is configured.

Other than DMARC authentication, how else does SpamTitan protect customers from PayPal phishing scams?

SpamTitan provides the option to “greylist” all inbound emails – which involves returning emails from unknown sources to the originating mail server with a request to resend the email. SMTP-compliant mail servers resend greylisted emails automatically. However, spammers´ servers are rarely SMTP-compliant, so the phishing email is never returned. In the event a phishing email is resent, SpamTitan´s anti-spam engine will run a series of tests to determine a spam score for the email. Whether the email is rejected, marked as spam, or delivered, will depend on the spam score threshold applied by the system administrator.

Doesn´t the greylisting process delay the delivery of genuine emails?

When you configure SpamTitan to greylist inbound emails, you can specify a number of successful deliveries after which the greylisting process is suspended for each sender. Therefore, if you set the “auto-allow” field to “2”, the first two emails from a sender will be greylisted; and – provided the first two emails are successfully returned – no further emails from that sender will be greylisted. You can also exempt senders by name or IP address, and exempt emails sent to specific recipients (although recipient email exemptions are not recommended).

What is the difference between a PayPal phishing scam and a COVID-19 vaccine scam?

Although both scams have the objective of obtaining sensitive information, COVID-19 vaccine scams tend to request Medicare and Medicaid numbers in return for illegitimate COVID-19 tests, vaccines, and treatments. Healthcare information such as this can be used to commit medical identity theft which enables the scammer to receive medical treatment under your name. If Medicare or Medicaid subsequently denies the claim for fraudulently-provided healthcare treatment, the victim of the COVID-19 vaccine scam could be liable for the cost.

Discover how SpamTitan blocks phishing threats with a free demo.
Book Free Demo