Akankasha Dewan 26 October 2020 19:23:10 AEDT 5 MIN READ

PayPal impersonated in phishing scam; email claims to offer refund on a recent payment

Global online payments system PayPal is once again the subject of a multi-staged phishing email scam.

Titled “Suspicious Login Activity”, the email uses the display name “Service”, and includes PayPal’s logo and branding. However, the email address used in the “From” field doesn’t use a domain belonging to the company. It actually originates from a compromised mail security service.

The email body is designed to look like a transaction alert, containing details of a recent payment, incl. the transaction ID number and amount transferred. If users “don’t recognize this transaction”, they are directed to claim a refund and are informed their account has been “temporarily suspended” until their identity can be confirmed.

Here’s what the email looks like:


PayPal email 2

PayPal email 3

Unsuspecting recipients who click on the link are led to a fake PayPal-branded login page. This is a fairly accurate representation of the actual PayPal login page, and is professionally polished. The domain used in the page’s URL however, doesn’t belong to the company, and is a huge red flag that should point to the page’s illegitimacy. This page is actually hosted on a compromised website.



Upon “logging in”, users are led to a page informing them that their “access to sensitive account features will be limited”. This page includes support information like users’ Case ID and steps detailing how they can get their account access restored, as per the below:


Once users click “continue”, they are led to similar pages asking them for their personal details like address, bank account & credit card numbers. As you can see below, all of these also employ PayPal’s branding elements:



Once users enter and submit the above fields, the attacker harvests them for later use, and after being shown the below "Thank you" page, they are redirected to PayPal’s actual website:


If any user did fall victim to this scam, they are vulnerable to having their PayPal account hijacked, their credit card credentials used to make fraudulent purchases and their identity stolen.

We’ve intercepted several phishing email scams spoofing PayPal in the past. While some similarly claimed to detected unusual activity in users’ accounts, others took a different approach and claimed to confirm the addition of a new address to their accounts. Most of these scams, however, are designed to create panic and confusion among recipients and make them concerned about their account security.

Being a widely used and trusted online payments service supporting a plethora of online stores, PayPal is a popular target for cybercriminals, especially as more users shop online due to the closure of many physical stores during the COVID-19 pandemic. Many of us rely on PayPal as a trusted means of making and receiving payments securely, so naturally, when we receive an email supposedly from PayPal regarding an action required for our account, we would take action.

To trick recipients into falling for this scam, cybercriminals have incorporated multiple elements. These include:

  • The use of an alarming subject line and body; informing recipients that their account has been suspended in an email titled “Suspicious Login Activity” creates a sense of urgency and anxiety, motivating users to take action immediately without checking on the email’s authenticity and,
  • The presence of multiple security certificates and support information in both the email & following phishing pages, including a link to identify phishing, the company’s privacy statement, and detailed information regarding the nature of users’ “limited” account. These are elements typically present in notifications from well-established companies like PayPal, and likely included to lend credibility to the scam.

Despite these techniques, recipients should be able to spot several red flags that point to the email’s illegitimacy. For instance, the user isn’t addressed directly in the email and the email contains clumsy wording.

To protect your business against scams like this PayPal phishing email:

  • Beware of emails that contain grammatical or branding errors, but purport to be from reputable organisations.
  • Always hover your mouse over the links contained in emails in order to check their legitimacy – don’t click them unless you are sure they are safe.
  • To ensure safety, type the URL of the organisation you are intending to visit manually into your browser or navigate through Google search to find the correct website before entering your credentials.
  • Be particularly wary of emails asking you to supply personal details that the purported organisation should already know, especially those which ask for credit card or bank account details.

If you are unsure whether a notification you’ve received from PayPal email is legitimate, simply contact the company directly.

Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.

Phishing continues to be one of the most prevalent forms of cyber-crime. The vast majority of online scams - more than 90% - are perpetrated using email, so it’s wise to always be skeptical of messages from unfamiliar senders asking you to log into your accounts.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates