Breaking: Legitimate-looking phishing email preys on PayPal users

Posted by Akankasha Dewan on 22 July 2019 17:09:11 AEST

MailGuard has intercepted a new multi-staged phishing email scam spoofing PayPal. The hallmark of this scam lies in not only how well-designed it is, but how it ironically utilises safety features to steal confidential data of users.

First detected yesterday, the 21st of July evening (AEST), it appears the email is sent using a compromised account of the newsletter email service, The display name used for the email is "PayPal".

The message is a "quick confirmation" that a new email address has been added to their PayPal account. The email states that if users did not add this address to their account, there is a link to "let us know right away" to help ensure that their account remains safe. 

Here is a screenshot of the email:

Unsuspecting recipients who click on the link to “let us know right away” are taken to a convincing copy of the PayPal website. They are first shown a "loading" page with the PayPal logo.

This page then leads up to another PayPal-branded login page requesting users for an email or mobile number, as per the below:

Upon clicking ‘next’, users are then led to a similar page that prompts them to enter their password:

After ‘logging in’, a third page shows up asking recipients to update their billing address:


Updating billing details leads users to another page asking them for their credit card information:

Finally, after submitting all required details, the user is redirected to the actual PayPal website.

E-commerce companies such as PayPal commonly hold a well-established and trusting relationship with customers, so when cybercriminals are looking for good trademarks to use in their email attacks they often brandjack companies like these.

Several techniques have been employed in this email to look like a genuine notification from PayPal, including the usage of high-quality graphical elements such as the company’s logo and branding. Another technique is the attempt to evoke urgency; telling the recipient to ‘let us know right away’ creates a sense of anxiety and panic that their account isn’t safe. This also motivates the recipient to click on the provided link right away, distracting them from checking the sending address of the email and looking out for any other errors.

It is also interesting to note that the body of the scam email is, ironically, focused on securing the users’ PayPal accounts. This only adds on to the sense of legitimacy evoked by the email as security updates such as a new email address is a common notification expected of such a well-established company. All this serves to elicit a more confident response from recipients who think they are, in fact, making their accounts more secure by clicking on the provided link and entering their confidential login details.    

To protect your business against scams like this PayPal phishing email:

  • Beware of emails that contain grammatical or branding errors, but purport to be from reputable organisations.
  • Always hover your mouse over the links contained in emails in order to check their legitimacy – don’t click them unless you are sure they are safe.
  • To ensure safety, type the URL of the organisation you are intending to visit manually into your browser or navigate through Google search to find the correct website before entering your credentials.
  • Be particularly wary of emails asking you to supply personal details that the purported organisation should already know, especially those which ask for credit card or bank account details.

If you are unsure if a PayPal email is legitimate, simply contact the company directly.

One email

Cybercriminals use email scams to infiltrate organisations with malware and attack them from the inside. 
All criminals need to break into your business is a cleverly worded message. If they can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive email security.
Talk to an expert at MailGuard today about making your company's network secure: click here.


Stay up-to-date with new posts on the MailGuard Blog by subscribing to free updates. Click on the button below:

Keep Informed with Weekly Updates



Topics: Xero

Back to Blog


Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Recent Posts

Posts by Topic

see all