PayPal phishing scams ramp up for holidays

'Tis the season to be careful. That should be no surprise. Given that the online holiday shopping season is peaking, cybercriminals would be expected to ramp up their efforts as well.

But it might be a bit surprising -- not to mention depressing for security evangelists -- that one of the oldest and typical scams aimed at online buyers is still successful: PayPal email phishing.

Paul Ducklin wrote this week on Naked Security that Australian PayPal users are being targeted. But there is also word of the same thing happening in Ontario, Canada.

It won't stop there. Chester Wisniewski, a senior security adviser at Sophos, noted that PayPal is used worldwide."It is a global phenomenon. These guys are equal opportunity exploiters," he said.

Even though the scam is common, Wisniewski said it remains successful. He said nobody but the criminals know just how successful they are, however. "Scams that aren't working die quickly, so we can assume that these must work quite well considering the frequency that we see them," he said.

Fred Touchette, a senior security analyst at AppRiver, said that "most victims shy away from admitting their losses except to perhaps their banking institution when attempting to recover their loss."

And even if the number is relative small, phishers have succeeded, said Catalin Cosoi, chief security researcher at Bitdefender. "Attackers don't need high rates of success, as phishing is just like handing out leaflets in the mall," Cosoi said "If one gets two or three customers out of every 100, mission accomplished."

The scam is by now familiar not just to security experts but to any reasonably savvy Internet user. It starts with a somewhat credible-looking email with the PayPal logo "acknowledging" a payment for something that the intended victim didn't buy. It provides an embedded link inviting the recipient to click on it to dispute the charge.

"And that's the ploy, of course," Ducklin wrote. "Hovering over the 'Press here to cancel this payment' link should be enough to reveal the bogosity. You won't be sent to PayPal but to a lookalike impostor site that helps itself to your login details."

Click on the bogus link and the criminals will steal your identity.

Wisniewski said he believes the primary victims of the scam are less savvy Internet users, whether that be old, young or simply not technical. But anyone can get stung by the social engineering. "Sometimes more tech-savvy people fall victim as well when they don't think things through before they click," he said.

[See also: Phishing - the basics]

Touchette said the season makes the scam more successful. "Many people are waiting on what are often multiple purchases to arrive from multiple sources, and may be eager to read any sort of notification about said purchases. This can really bring one's guard down," he said.

Wisniewski said his own mother, who lives in Michigan, "actually clicked one of these things last month. Thankfully Sophos Anti-Virus picked up the payload -- a Zeus banking Trojan in this case."

By now, the advice on how to avoid such scams ought to be familiar too, but given its success, it bears repeating. PayPal itself has a list of warnings and advice on its website, including a "challenge" to customers to find out how much they know.

But there are some general rules about unsolicited emails, including:

Don't click on a link embedded in an email. Go to the vendor's website and log in from there.

Failing that, before clicking on any link, at least hover over it to check the site's web address (URL). Larry Magid at the Huffington Post notes that, "if it's Sears, for example, make sure it's really and not something like" Also check the spelling -- scammers frequently register a site with a single letter different from a legitimate site.

A legitimate PayPal email will never ask for a full name, password, driver's license number, Social Security number, credit and/or debit card numbers, PIN numbers or bank account numbers. Don't provide them.

A legitimate PayPal email will also never contain an attachment or software update. An email with those will likely contain spyware or a virus.

Beyond those, Touchette said users should not assume that because they're somewhat savvy that they are invulnerable. "Knowing that scams exist and that anyone can be a victim, provides a gentle reminder that the, 'It will never happen to me' attitude can be dangerous," he said. "A little vigilance goes a long way."

Cosoi added that online shoppers should not use their primary personal email. "Use a dedicated email address for sensitive operations such as registering for accounts with payment processors," she said. And one last bit of advice: "Last, but not least, use a solid antispam solution."

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetysecuritypaypal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place