A new PayPal phishing scam has been detected that uses unusual activity alerts as a lure to get users to login to PayPal to secure their account. This is a common tactic that has been used to steal PayPal credentials before, but this campaign is different as the attackers are after much more than just account credentials.

This PayPal phishing campaign attempts a clean sweep – PayPal credentials, credit card details, email addresses and passwords, and security questions and answers.

The PayPal phishing scam is one of the most dangerous to date in terms of the financial harm that could be caused. PayPal accounts can be drained, credit cards maxed out, sensitive information can be stolen from email accounts, and email accounts can be then used for further phishing scams on the victim’s family members, friends, and contacts.

The PayPal phishing scam starts with a warning designed to get the recipient to take immediate action to secure their account. They are informed that their PayPal account has been accessed from a new browser or device. They are told PayPal’s security controls kicked in and as a result, the user is required to login to their account to confirm their identity and remove limitations that have been placed on the account.

The email points out that PayPal could not determine whether this was a legitimate attempt to access their account from a new browser or device, or a fraudulent attempt to gain access to their PayPal Account. Either way, action is required to confirm their identity. A link is included to allow them to do that.

If the link is clicked, the user will be directed to a fake PayPal website where they are required to login to restore their account. In this first stage, PayPal account credentials are obtained.  The user is then directed to a new page where they are asked to update their billing address. In addition to their address, they are also asked for their date of birth and telephone number.

The next page asks for their credit card number, security code, and expiry date, which it is claimed will mean they do not need to re-enter that information again when using PayPal. They are also then asked to confirm the details in a second step, which is an attempt to make sure no errors have been made entering credit card information.

The user is then taken to another page where they are asked for their email address and password to link it to their PayPal account. After all the information has been entered, they are told the process has been completed and their account has been secured and successfully restored.

All of these phishing pages have the feel of genuine PayPal web pages, complete with genuine PayPal logos and footers. The domains used for the scam are naturally fake but have some relevance to PayPal. The domains also have authentic SSL certificates and display the green padlock in the browser.

Naturally you should take any security warning you receive seriously, but do not take the warnings at face value. Google, PayPal, and other service providers often send security warnings to alert users to suspicious activity. This PayPal scam shows that those warnings may not always be genuine and that you should always exercise caution.

The golden rule? Never click links in emails. Always visit the service provider’s site by entering the correct information into your web browser to login, and always carefully check the domain before providing any credentials. This is important as there has been an increase in typosquatting attacks, where cybercriminals take advantage of careless typists who misspell domain names when entering them into the address bar of their browser.