In an ongoing scam, more and more emails are being sent out from legitimate PayPal addresses with fake purchase notifications in an attempt to trick users into granting remote access to threat actors.
Bleeping Computer reports that over the past month, the security news outlet has received emails that state “You added a new address. This is a just a quick confirmation that you added an address in your PayPal account.” Also reported on the r/Scams subreddit, the email includes a message that claims to be a purchase confirmation for a MacBook M4 and includes a “PayPal customer support number” for the user to call if they did not authorize the purchase.
The goal is to trick recipients into thinking their account was hacked, and to call the scammers themselves at this support number. The number plays a recording that asks the caller to hold while it connects them to customer support; the person on the other end of the call is actually a scammer who will attempt to convince the caller into thinking that their PayPal account has been hacked.
During the call, they will try to get the caller to download and run software on their computer (something you should always avoid) so they can supposedly assist them in regaining access to their PayPal account and block the alleged transaction. However, this remote access software gives the scammers complete control over the caller's computer, which gives them a way to steal money from bank accounts, deploy malware or steal sensitive data.
Since these emails are coming from a “service@paypal.com” email address, many people are concerned that their accounts have been compromised – and because the emails are legitimate PayPal emails, they can bypass security and spam filters.
Users who have reported receiving these scam emails have confirmed that no new addresses have been added to their accounts; and in one instance, a scam email has been sent to an email address that has no PayPal account associated with it.
Abusing PayPal's gift address feature
Scammers are doing this by using the “gift address” feature – Bleeping Computer’s research noticed that the bottom of one fraudulent email contained text that said “If you want to link your credit card to this address, or make it your primary address, log into your PayPal account and go to your Profile Since this address is a gift address, you can send packages to it with just a click.”
Gift addresses are simply additional addresses you can add to your PayPal profile; if you add a new address to an account, you can paste any message into the Address 2 field. PayPal will then send out a confirmation email to notify you of the new address, and include the message – in this case, a fake purchase message.
The threat actors are using an email address to automatically forward the email to a mailing list of targets; PayPal is enabling this scam inadvertently by not limiting the number of characters it allows in the address form fields, which allows the threat actors to inject their scam message there. Restricting the number of characters in the address field to a smaller character count could certainly help curtail this type of abuse.
How to stay safe from online scams
If you receive a legitimate-looking email from PayPal, especially if it has a genuine email signature, and states that you’ve updated your address or contains a bogus purchase confirmation just ignore the email and the listed phone number. However, you should still log in to your PayPal account to confirm that no addresses have been added. If you don’t see any, disregard the email.
It's worth noting that this guidance pertains to most online scams. By quickly checking the associated account, you can normally figure out whether or not something is a scam very quickly. Unfortunately though, phishing emails are crafted in such a way that they solicit an emotional response. This makes people lower their guard and fall for the scam in question more easily. This is why you always want to keep a level head when going through your inbox or even your messages on social media.
As with any phishing attempt, never click on any links or download any attachments. You want to also make sure that your PC is protected from anything that might get by you by installing one of the best antivirus software solutions and keeping it up to date. Likewise, whenever possible, use multi-factor authentication, and if it comes bundled with your antivirus suite, use a VPN for added protection.
Just like with Zelle, cybercriminals and scammers aren't going to stop impersonating PayPal in their attacks anytime soon. That's why it's up to you to be extra careful when checking your inbox and practice good cyber hygiene online. You also want to educate those around you about scams like this one, especially older people as they're the most likely to fall victim to an attack like this one.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
