cfo-au logo
Story image

PayPal phishing scam uses 'safety' features to trick people

26 Jul 2019

The wave of scam and phishing emails just doesn’t stop. This time, a bunch of PayPal scam emails are doing the rounds, and this time they’re more devious than ever. 

These scams use safety features to steal victims’ confidential data, and are ‘brandjacking’ trusted names in the industry to conduct their attacks.

In this case, a newsletter email service called was compromised at some point. Attackers are using this service to send fake emails with the display name “PayPal”.

According to security firm MailGuard, the message is a ‘confirmation’ that a new email address has been added to their PayPal account.

The email then asks users to click a link that says ‘let us know right away’ if they did not add the email address to the account. 

When users click on the link, they are taken to a clone of the PayPal website – but that website is anything but real. The page leads to another PayPal-branded login page requesting users for an email or mobile number.

When users click ‘next’, they are asked for their password. They then appear to ‘log in’ to PayPal.

Users are then asked to update their billing address.

When they do so, they are then asked for their credit card information.

After they’ve done all that, they are then redirected to the genuine PayPal website.

“Several techniques have been employed in this email to look like a genuine notification from PayPal, including the usage of high-quality graphical elements such as the company’s logo and branding,” comments MailGuard.

“Another technique is the attempt to evoke urgency; telling the recipient to ‘let us know right away’ creates a sense of anxiety and panic that their account isn’t safe. This also motivates the recipient to click on the provided link right away, distracting them from checking the sending address of the email and looking out for any other errors.”

“It is also interesting to note that the body of the scam email is, ironically, focused on securing the users’ PayPal accounts. This only adds on to the sense of legitimacy evoked by the email as security updates such as a new email address is a common notification expected of such a well-established company. All this serves to elicit a more confident response from recipients who think they are, in fact, making their accounts more secure by clicking on the provided link and entering their confidential login details.”

MailGuard says if people are sure if an email is genuine, they should contact the company directly. People should also:

•    Beware of emails that contain grammatical or branding errors, but purport to be from reputable organisations.
•    Always hover your mouse over the links contained in emails in order to check their legitimacy – don’t click them unless you are sure they are safe.
•    To ensure safety, type the URL of the organisation you are intending to visit manually into your browser or navigate through Google search to find the correct website before entering your credentials.
•    Be particularly wary of emails asking you to supply personal details that the purported organisation should already know, especially those which ask for credit card or bank account details.

Story image
Are Australian businesses missing out on fintech benefits?
Despite increasing digital adoption in response to the COVID-19 pandemic, the survey revealed that only a third of businesses in APAC have actively adopted fintech solutions.More
Story image
'Masters of Change' will define future as digital gap widens in wake of COVID
A wave of companies are racing to reinvent themselves and use technology innovations to shape the new realities they face. More
Story image
Patrick Quesnel, a Microsoft NZ mainstay, is appointed as Azure infrastructure lead for APAC
Quesnel comes into the new role off the back of over three years as AI business group lead for Microsoft Azure New Zealand, where he was ‘instrumental’ in building Microsoft NZ’s business. More
Story image
Low-code tech market to reach US$13.8 billion in 2021
Driven primarily by factors influenced by the pandemic last year, COVID-19 restrictions will continue to drive a surge in remote development in 2021, which in turn will boost low-code adoption, Gartner says.More
Story image
Study uncovers widespread artificial intelligence and machine learning knowledge gap
"This study shines a light on the struggle to balance the potential benefits of AI and ML against the ongoing challenges of getting AI/ML initiatives off the ground."More
Story image
Microsoft endorses Australia’s proposal on technology and the news
"Google and Facebook's threat to tamp down their services or pull out of a country entirely creates a new vulnerability for democracies and underscores the need for new rules for digital markets."More