With more than 430 million users worldwide, PayPal is one of the most popular payment platforms out there – making it the perfect avenue for scams.
One of the most common methods of attack that we see is the PayPal name and branding being used in phishing scams. With such a big user base, it’s easy for attackers to send phishing emails using their branding en masse, knowing that a large number of recipients will have PayPal accounts which increases the likelihood of a successful scam. Typically, these scams will attempt to get your username and password so the hacker then has access to your funds and payment methods, as was the case in this attack.
PayPal scams are also common in online marketplaces, such as eBay, Gumtree, Trading Post, or Facebook. In these situations, scammers will post an item for sale, and then when they have an interested buyer, they’ll ask them to transfer through PayPal’s Family and Friends feature, which is typically used for transferring money to - you guessed it, family and friends. When paying for normal goods or services through PayPal, users are covered by their Purchase Protection Program in case of fraud or scams, but this protection does not extend to the Family & Friends feature. So, when the scammer receives the funds and doesn’t deliver, the purchaser is unable to recover their losses.
For anyone that has fallen for one of these scams, it’s no doubt a sad and frustrating experience. And now, scammers are using a similar method in a new attack.
Over the past couple of months, MailGuard has been blocking a sophisticated new PayPal scam, but recently our threat ninjas have noticed a concerning rise in attempted attacks. While MailGuard prevents this threat from ever landing in your business’s inbox, it’s important that you know what to look out for should it be sent to your personal account.
In this scam, attackers are using a PayPal feature which enables them to send requests to individuals for money to be transferred to them. Their intention is to send as many money requests to as many people as possible in the hope that someone will blindly approve the request. However, in an attempt to protect users, PayPal has placed restrictions on this feature which means the request is free, only if the person on the receiving end is registered as their family or friend.
However, scammers have found a way to bypass these security measures by using compromised Office 365 accounts to create second profiles on PayPal. These profiles are then connected to the primary account as a “friend” and emails from PayPal are redirected to a list of known users with PayPal profiles. This allows scammers to trick unsuspecting individuals into transferring funds to the fake profile.
In the example below, you can see that the “To” address shows “member12(at)(subdomain)(dot)onmicrosoft(dot)com”. This indicates that it’s an Azure tenant, and is likely someone’s compromised account rather than one created by a scammer.
To the untrained eye, the email with the money request may look legitimate, particularly because it has a label that reads “This message is from a trusted sender”. As the email is originally legitimate and has originated from PayPal before being redirected, PayPal themselves DKIM signed the email, which causes it to show as valid upon any checks.
Scammers typically use different reasons in each request they send, but they tend to ask for hundreds of dollars and provide a contact number to help feign authenticity. Although we have not verified this, we can assume that calling the number will lead to a scammer convincing you that the charge is legitimate and threatening action if the sum is not paid.
PayPal is aware of this scam, and although they have not yet put measures in place which prevent it from happening, they’ll often delete the payment request – but it’s not an automatic process. This means that there’s a window of time when the link will be active, and the unsuspecting recipient may be conned out of their money.
Fortunately for MailGuard users, our team are blocking these scams and it won’t appear in your inbox. However, our ninjas recommend strict SPF and DKIM policies in order to prevent your brand from such abuse.
For those who aren’t MailGuard customers, PayPal offers this advice:
“If you receive a suspicious invoice or money request, don’t pay it. And don’t call any phone numbers stated in the invoice note or open suspicious URLs.
Cancel any unwarranted invoices or money requests by logging in to the PayPal website or the PayPal app.”
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Providing your personal details can result in your sensitive information being used for criminal activity and may have a severe negative impact on your business and its financial well-being.
Protect your business
Many businesses turn to MailGuard after an incident or a near miss, often as a result of an email similar to the one shown above. If unwanted emails are a problem for your business, don’t wait until it’s too late.
Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
