SIDENOTE: This post was originally published in February 2018. But we gave it an update in November 2019.
Update November 2019! Read the article to see how you can avoid PayPal Phishing Scams and remove malware which was distributed by such scams. E-mails, messages and websites are all involved in these types of spoofing. The article will also aid you to recognize PayPal Phishing Scams and the official PayPal messages from one another. If you notice that your computer system is infected or behaves strangely, we recommend that you scan it with a security tool.
PayPal Phishing Scams are common worldwide. Many variations of these scams exist, featuring websites specifically designed to generate spoofed pages, messages deliberately trying to trick you have a problem, or notifications which may lead to stolen credentials or your PC getting infected with malware. All of these types of PayPal scams are still in circulation and through them, a lot of sensitive data or money is being stolen. People keep falling victim to related spoofed messages, despite in what form they are sent on. Over the years PayPal is used in many scams and with each new one, cybercriminals improve their skills of making a scam as close as possible to the original messaging used by the big brand. If you are targeted with a spoofed message, you will be asked to login to “PayPal” or visit a Web domain and perform an action there like paying for a failed shipment.
|Name||PayPal Phishing Scams|
|Type||Phishing, PUP, malware|
|Short Description||Phishing messages trying to trick you into clicking links. Once clicked, a link will redirect you on a landing page. You will be asked to do an action there, such as providing credentials, personal information or filling in a form. Occasionally, clicking a link will download malware on your computer.|
|Symptoms||You receive an e-mail message that is allegedly from PayPal. You will be urged to click on a link. You can then get malware on your computer device or land on a page that imitates the official PayPal website, while demanding of you to fill in personal details.|
|Distribution Method||Phishing Emails, Pop-up messages, Redirects|
See If Your System Has Been Affected by malware
Malware Removal Tool
|User Experience||Join Our Forum to Discuss PayPal Phishing Scams.|
Phishing PayPal Scams – Update November 2019
PayPal Phishing Scams – Update September 2019
Recently there are several popular campaigns that are used by PayPal scammers. They are used by several hacking groups that are not affiliated one with another. The number of scams associated with the payment service has risen in recent times in light of the attack campaigns that are currently active. A popular tactic is to create fake delivery failure reports. This is done by following a set procedure. The operators of this hoax will provide fake shipment information of an online shop order to the target users. Several attempts to deliver the item will be made until the order is classified as undeliverable. After this has happened the scammers will update the address with a legitimate one controlled by them. The order details however will bear the mark of a victim customer of which the sum will be requested. Upon the successful delivery of the goods the original address in the account of the victims will not match with the one of the “drop points” of the hackers. Henceforth the Purchase Protection policy will fail due to the difference in addressses and the hackers will keep the order.
Another option which is often abused is the PayPal feature called Friends and Family, this is the option of sending and receiving funds with lower fees. When it is used the transaction costs are lower and as such hackers take advantage of this fact by attempting to scam the users into sending them money through this option. In order for this strategy to work the hackers will need to convince the targets into thinking that that they are a friend, relative or family member. There are several common scenarios that are used effectively in the recent campaigns:
- Product Purchases — The hackers can present themselves as an e-commerce shop or service and ask for payment using this feature in order to “lower the price” for the victim customers. The payment will be requested in advance before the items are said to be sent in the post.
- Gift For a Friend Scam — The hackers will attempt to impersonate the friends of the victims in order to requests gifts for a birthday or another event. They will reach out to them via social networks and popular messengers clients and services. The funds for the gift will be requested for a special “savings” Paypal account that is actually owned by the hackers.
- Overpayment Scam — This scam is designed to look like an overpayment that has been made by mistake. This is done by targeting sellers that use the PayPal payment service. They will receive a notification from the company saying that a customer has bought an item from the target’s shop. Shortly afterwards they will receive a message from the customer stating that they have paid more than what the actual value of the item. The “extra funds” will be requested back to the hackers. This can be done by through an already compromised PayPal account or a specially made profile.
PayPal Phishing Scams – Nemty Ransomware Distribution
PayPal phishing scams have also been observed to be used to distribute samples of the dangerous Nemty ransomware. This is done by creating numerous fake Paypal sites that include the script installation. The sites appear as special promotional offers that offer cashback opportunities for prospective buyers. The Internet users are promised these lucrative deals by downloading a special app that is advertised as being made by the payment service. The name of the program is cashback.exe and if started it will lead to the Nemty ransomware.
There are two distinct characteristics associated with the attacks:
- The sites are made using the exact design layout and elements from the official PayPal site.
- The sites use homograph domain name spoofing techniques which can manipulate many users into thinking that they are accessing real and safe sites.
PayPal Phishing Scams – Login Report Emails
Computer hackers are coordinating email phishing messages which manipulate the recipients into thinking that they have received a login notification prompt from the PayPal service. The message is designed using the familiar design elements and layout. The message will read that there is a suspicious login attempt. Many of the email messages will have cross-referenced information about the users and use a personalized greeting while others will follow a generic template. If the users click on the shown link they will be lead to a malware login prompt that will hijack their personal information.
PayPal Phishing Scams – New Statement Update
A distinct email phishing campaign has been detected carrying the subject line of “New Statement Update (Paypal Corporation) We’re Reviewing Your Case” which has been launched worldwide. To this date we have not received reports of a massive infection however we assume that if the initial wave picks up a sufficient number of infected hosts then the attack may be repeated with larger resources.
The main warning sign is the senders address, it will not be from the official PayPal domain and it will include attached PDF files. The service will never send such files to any of its clients, nor will it not greet the users with a generic identifier. One of the main signs will be the lack of a proper greeting and the absence of the regular PayPal design elements. The attached PDF file will surely be one of these two malware types:
- Virus Files — All common malware types can be easily acquired through these data files by using the .pdf double extension superseeded over the executable ones (.exe, .bat and others).
- Malicious Payload Carriers — The files can include dangerous embedded scripts (macros) that will infect the victims with malware (usually ransomware and Trojans) when they interact with a certatin element. In other configurations upon opening them files a prompt will be spawned requesting that the users enable the macros. This will trigger the infection and cause the included virus to be deployed onto the system. Practically all popular document types can be payload carriers: text documents, spreadsheets, presentations and databases.
PayPal Phishing Scams – Your Account Will Be Limited
January 2019 saw the release of a new Paypal phishing email scam campaign which is orchestrated by an unknown hacker collective. So far we have no information about the identity of the hacking group. The sent emails are still relatively low in quantity which is probably explained by a test release. If the initial attack proves successful then a larger attack may be launched.
Like other similar attempts the hackers will send out messages that appear as being sent by PayPal to the chosen targets. They will mimic the online service’s design and layout by coercing the victims into interacting with the built-in content. The message will read that the accounts belonging to the recipients are limited until they confirm their activity. The most common operations are listed in the email:
- Funds Transfer
- Withdrawal of money and bank account removal
- Credit Cards Removal
- Account Closure Procedure
The recipients will be guided to click on a button called “Confirm My Account” which will redirect them to a faux landing page. If the account credentials are entered then they will instantly be transmitted to the hacker operators.
New Statement Update Paypal Phishing Scams
This is an email-based scam which is designed to appear as being sent by PayPal. Several different types of “tags” are placed in the subject line in order to make it appearing more believable. What’s interesting about this particular campaign is that the sent phishing messages are personalized — this is attributed to stolen or hacked details about the targets. Such campaigns are particularly effective as it is deemed that only the legitimate services have the personal information and address the recipients as such.
The message will read that the users accounts are limited and that they will need to login in order to continue using it. A link will be placed in the body contents that will redirect to a malicious landing page. As soon as the victims enter in their information it will be transmitted to the hacker operators. The convincing looking pages might include links to legitimate sections of the PayPal site. There are several warning signs that the visitors can watch out for:
- The correct domain associated with PayPal can easily be mistyped. Many of the hacker-controlled sites register hundreds of combinations of mistyped key combinations in order to draw in unsuspecting visitors into entering their account credentials in them. This may be the case with some of the samples send in this campaign.
- A lack of proper security certificates signals that the website is unsafe.
- Shortened URL links are never used in email notification messages.
Verify Your Account Paypal Phishing Scams
Another PayPal related scam is the one that redirects the targets to a fake landing page which reads “Verify your account”. The account verification of the service is a legitimate procedure however it is not displayed in this way nor will PayPal request such services. The domains on which the phishing sites are hosted may sound almost the same as the official domain page or have PayPal-related strings. In addition advanced samples can even include security certificates which will mask the site as legitimate looking for many users.
What’s dangerous is that there is no information about the criminals behind the phishing attack. Their motives might be more than just identity theft or the account overtaking. Such websites can be used as sources of malware infections:
- Trojans — They allow the hacker operators to take over control of the infected computers giving them the ability to spy on the victims, steal their files and deploy other threats.
- Browser Hijackers — In some cases interaction with such sites can load browser hijackers that are under the form of plugins made for most of the popular web browsers. They are often found on the relevant repositories using fake web developer profiles and user reviews. When they are installed all important settings will be altered in order to redirect the victims to a hacker-controlled page. Modifications can be done to the default home page, search engine and new tabs page. Furthermore the victims may not be able to revert the changes as the malicious code will modify the Windows registry, configuration files and other data.
- Cryptocurrency Miners — Hacker-controlled sites have the ability to load miner code into the malicious sites. These scripts will run constantly as soon as they are executed by the browser and will set up a connection to a special server distributing complex mathematical tasks. During their calculation the infected machine will have their performance greatly reduced. As soon as one task is finished another will be started and for each reported workload income will be generated and allocated to the hacker operators. The funds are in the form of cryptocurrency and will be directly wired to the digital wallets of the criminal collective.
PayPal Phishing Scams – Action Required Email Scam Message
A surge of phishing attacks carrying another popular PayPal scam has recently been reported. The victims are sent email messages that imitate legitimate notifications sent by the service asking them to verify their accounts. According to the message recent suspicious activity has been detected by PayPal and the users need to enter in their details. The quoted reason is a fraud transaction according to the email message.
The victims are given a link to a malware landing pages which is designed to fool them into thinking that they have accessed the real PayPal site — a similar sounding domain name and a security certificate can be implemented to make it more believable. Note that if the victims enter in their login details they will be instantly transmitted to the hackers.
PayPal Phishing Scams – Update January 2019
In the beginning of 2019 we received numerous reports that a new PayPal phishing scam has been found. Instead of using the traditional techniques it relies on hacker-made or hacked Twitter accounts. The dangerous characteristic is that thousands of users might have interacted with the Tweet offering a “New Year Draw” enticing the targets into thinking that they can earn gifts. Upon clicking on the shown links the victims will be redirected to a phishing login page requesting PayPal account details.
An investigation into this page shows that when information is entered the victims will be redirected to another page requesting payment card details as a “verification step”.
PayPal Phishing Scams – Update December 2018
In December 2018 we received reports of a new scheme that uses a domain that poses as a Paypal notification service. Upon interaction with a malicious site or a phishing email the victim users might be redirected to it. It will spawn a pop-up notification or a new tab page that that will ask for the users’ login credentials.
We remind our readers that the sources of infection can be different and include the following typical cases:
- Email Scam Messages — The hacker operators may send out phishing messages via email messages by impersonating Paypal. The messages can be designed using the same design layout as the company itself. The only differences would be the link to the login page.
- Redirects — Links presented through browser hijackers and social networks via hacked or hacker-owned accounts.
- Virus Infections — Various malware infections can lead to the display of the PayPal phishing scam.
PayPal Phishing Scams – Update November 2018
A new type of phishing email message has been detected with the subject line Action required: Confirm your info by XX/XX/XX to keep a PayPal balance where in the “X” are filled with a date. The message will read that in order to continue using the service they will need to confirm their identity. The email follows the usual design template used by the service and it can be even be personalized with the recipient’s name. This is done by cross-linking the victim’s email address with publicly accessible information. If they click on the links they will be redirected to the phishing landing page where their account credentials will be requested. If entered they will automatically be forwarded to the hacker operators.
PayPal Phishing Scams – Update October 2018
In October 2018 another phishing scam strategy was observed. This time computer criminals used SMS messages to confuse users into thinking that PayPal is contacting them about their account. The received message is written in the fashion of a security notification. The message reads the following:
Your PayPal has been temporarily locked. You have 36H to confirm the account information or your account will be closed: XXXXXXXXXXXXx
A fake login page will be sent as an URL. If the users click on it they will be taken to a screen asking for their account credentials. If entered the username and password combination will automatically be sent to the operators of the scam.
An additional PayPal phishing scheme redirects the users to a simplified login screen that uses the familiar quick sign-in prompt. The criminals have made an exact copy of how the login screens appear, the labels and layout of buttons as well as the slide animation between the username and password entry screens.
PayPal Phishing Scams – Update August 2018
New PayPal Phishing scams have been detected within the first few days of August 2018, which scams seem to continue being delivered as spam email messages. They can contain malicios files being attached to the email and/or links that aim to redirect you to a phishing page.
Below you can see the two most common messages used both for the Subject of a message or below in its actual contents:
- _Protect your account_
- _Now check the account information that belongs to you!_
Notice how both of them are encapsulated with lower dashes ( “_” ) and mention something about checking whether your account is in order. Do not trust such messages and delete them from your e-mail inbox.
PayPal Phishing Scams – Distribution Methods
PayPal Phishing Scams might distribute via a third-party installation setup. Applications connected to PayPal Phishing Scams can intrude your computer, without your knowledge of that. Installer setups like those could be set by default to install additional components. Bundled packages and freeware setups regarded as PUPs could be distributed and push scam messages to your PC and browsers. To avoid installing unwanted applications, you can to search for the Custom or Advanced settings. If you find such, you could probably deselect anything you do not want on your machine.
Note! These types of PayPal Phishing Scams were seen to be pushed via e-mail address messages on a large scale as showcased on the screenshot below. Beware of any messages that have links to PayPal services that you do not remember using.
PayPal Phishing Scams might distribute themselves by using similar-looking websites which are hosting phishing landing pages. Websites like those use the PayPal logo without permission and to an extent you might not differentiate the original with the bogus website. Clicking on just one redirect link or an advertisement could send a virus to your computer machine. In addition, banners, pop-ups as well as more kinds of adverts could be placed on top of browser pages to push more links and phishing messages. All browsers could get affected and any operating system for that matter.
PayPal Phishing Scams – Detailed Analysis
Many scams related to PayPal are circling the World Wide Web nowadays and seem to increase every month. This article will show what the vast majority of scam types related to the PayPal Service are and how you could recognize them. Scams that are tied to PayPal are not very innovative as you can see older versions of them over the years. Unfortunately, every year each scam gets a little bit more sophisticated than its past variant, and keeps spreading to more users, who are potential victims if they do not know about it. Surprisingly, the number of people who are tricked is ever increasing, instead of that being the opposite.
Websites which are hosting PayPal Phishing Scams can load pop-ups and other advertising content as you are browsing to help popularize a type of scam page. Heaps of advertisements might show, promoting a way to obtain money via PayPal.
PayPal’s ”You’ve Received New Funds” Scam
This scam is a recurring one, which means that it keeps showing up, year after year, months after months. The scam shows you a notification which states “You’ve Received New Funds”.
You can preview a variant of the You’ve Received New Funds scam message below:
From the above image, you can see an e-mail message stating that you have received new funds in your PayPal account. However, PayPal uses other wording when it comes to that – either “You’ve got money” or that “Somebody sent you X” amount of money. Down here below you can see what such a message contains:
You’ve Received New Funds!
This email confirms that you have received a payment for 706.70 GBP from Garner73@tiscali.it
Receipt ID: 9880-7964-4082-4830
The number above is the buyer’s receipt ID for this transaction. Please retain it for your records so that you will be able to reference this transaction for customer service.
View the details of this transaction
PayPal Shopping Cart Contents
Item Name: Post Man Pat, PC Selby Car & Figure
Item Number: 400301809020
Total: 706.70 GBP
Cart Subtotal: 706.70 GBP
Postage: 14.25 GBP
Cart Total: 706.70 GBP
Total amount: 706.70 GBP
Currency: British Pounds
Transaction ID: 7HD151924J961211N
Postage and packaging: 14.25 GBP
Postal insurance: 0.00 GBP
Buyer: Kathryn Watts
Buyer’s User ID: kate3282
Address Kathryn Watts
2 Haselmere Close
Bury St Edmunds, Suffolk
Address status Confirmed
Have you lifted your withdrawal and receiving limits? Just log in to your PayPal account and click View Limits on the Account Overview page.
Copyright S 1999-2012 PayPal. All rights reserved.
PayPal (Europe) S.a r.l. et Cie, S.C.A.
Societe en Commandite par Actions
Registered Office: 5th Floor 22-24 Boulevard Royal L-2449, Luxembourg
RCS Luxembourg B 118 349
PayPal Email ID PP345
As you can see in the screenshot shown above, it is depicted how PayPal is being spoofed with the logos, brand and the way messages are sent. You might be provided with a link that can send you to a page where you will be asked to give your password and account name (which in most cases is the email you have registered your PayPal account with), which seems suspicious in itself.
”Review your PayPal account limited statement” Phishing Scams
The PayPal Phishing Scams have many variations, but what you will see most commonly is the following message, displayed in the below screenshot:
Such an email message will state something in the lines of the following:
Review your PayPal account limited statement
Dear PayPal Customer,
We understand it may be frustrating not to have full access to your PayPal account. We want to work with you to get your account back to normal as quickly as possible.
As part of our security measures, we regularly check the PayPal screen activity. We request information from you for the following reason:
Our system detected unusual charges to a credit card linked to your PayPal account.
Download the attached form to verify your Profile information and restore your account access. And make sure you enter the information accurately, and according to the formats required. Fill in all the required fields.
Thanks for joining the millions of people who rely on us to make secure financial transactions around the world.
You will be asked to download an attachment with a message inside. The message will instruct you to open up a link. That link may look like the official URL address of the PayPal service but do not get fooled. The link will redirect you to a phishing page that may look very similar to a legitimate PayPal-hosted page, but has a suspicious URL that is not located on the PayPal official domain. In this case, the link “https://www.paypal.com/il/cgi-bin/webscr?SESSION=F5sJMNm-og4yRrDzVrFsSwS4Pjt6Wq1x-aFmISUJZy7xVTNjFu8OmrGhb-4&dispatch=5885d80a13c0db1f8e263663d3faee8d0b7e678a25d883d0bcf119ae9b66ba33” will land you on the “https://www.paypal.com/” page, but launch a script. The script will make it so, any detail and information that you type in will actually be sent to the “https://www.egypt-trips.co/wp-admin/includes/New/post_data.php” address. See below how the page looks like from the image below:
Afterward, you will be prompted to enter your details, such as an email address, password, first and last name, date of birth, nationality, city, address, zip code, mobile number and other personal data. In case you are wondering why, it is due to the fact that the cybercriminals want to steal your PayPal account along with your identity. If you proceed and enter all of these details, you will be redirected to a page that requires further details, like your credit card number and a “Finish” button at the end. This is the second page that displays with the second art of details which are asked from you:
If you didn’t get suspicious by now, then either you are a new PayPal user and do not know how their system works (like, if you enter such information once through their site it will be filled in those forms the next time you are on such a page) or you believed in what the scam is claiming. In case you entered every detail on that page, you will finally get redirected to the official page of the PayPal website. You should be wary of any such websites and if you doubt the contents of a message that is supposedly from PayPal you should ask your family household if anybody used the service or tampered with a joint account.
All of the scams described above, plus others which are similar to them might be advertised or promoted in some shape or form. Do not believe in messages that look suspicious and when you do not recollect if you indeed did any of the actions described inside the messages. Beware of such scams as they try to look like they are sent from PayPal as close as possible. To do that, criminals are using exactly or nearly the same design, fonts, logos and wording as the PayPal site network.
Below you will see how to differentiate the usage of the PayPal brand from scams and the real thing. You will also find good tips on what to do or not do, so you can avoid getting scammed. At the end of the day, you should also scan your computer in case a malware is causing such messages to show up on your computer screen.
“Confirm your information and link your card” Phishing Scams
A recent email-based phishing scam targeting PayPal users was detected during its attack campaign. The victim users will receive a warning notification requesting the users to re-link their payment card in the service. The quoted reason is to “avoid account suspension”. The email message contain graphics, layout and text that is typical to the service. At the same time they are given a link that leads them to a website that is not part of the legitimate PayPal domain.
The phishing scam landing page may be designed to look just like the real login screen. It will request the account credentials used by PayPal and any additional information. All collected information can be used for additional crimes such as identity theft and financial theft.
PayPal Phishing Scams – How to Avoid Them?
In this section, you will find out how to differentiate between PayPal Phishing Scams and messages from the official PayPal brand, following a simple set of rules and guidelines. So, if you are reading this article, you should now know that there is a multitude of scams involving PayPal featuring spoofed messages. Below you will find more on the topic.
Refer to the following link that is of the official PayPal page for Common Email Scams.
As you now know about the existence of the scams and Common Email Scams page hosted on the PayPal website, refer to the following guidelines on how to avoid most scams related to the service:
- Do not provide any details about you, your addresses or similar information via email or unknown Web pages
- Do not open email attachments, as PayPal does not send such, neither it requests clients to open any
- Always use PayPal.com to refer to pages in connection with the service
- Avoid messages with grammatical or typographical errors
- Avoid emails that are not addressed to you by name
- Avoid messages sent by a service you don’t expect to hear from
- Avoid clicking on links to provide your email address for verification
- Avoid payments to someone whose identity you can’t confirm or if he wants to use a middleman service
Note! In case you remain unsure of what to do or you do not know if a message you got is actually from PayPal you can ask the US PayPal Community directly from this link to receive some feedback. Most of the scams in circulation are well-known and somebody should be able to assist you there. If you want to report a scam/spoofed message related to PayPal – refer to the official PayPal report page.
The guideline rules listed above were constructed by the SensorsTechForum team, via a research done on the matter. These rules are based on common sense and depending on the various scams related to PayPal.
A part of those scams related to PayPal can be removed by closing the message or browser. In case the scam pages continue to bother you even after that, then you probably have something else on your computer that is generating them.
Remove PayPal Phishing Scams and Related Malware
All that is required to remove some PayPal Phishing Scams is to ignore the message, never respond to it and delete it. Other scams require a bit of action, such as thoroughly scanning your computer machine with security software to determine whether you have some malware component that is pushing PayPal spoofed messages to your computer, browser or e-mail address.
We highly recommend that all computer users scan their system for active infections and malware using a security program. That could prevent many malicious actions and stop malware of distributing further.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter