PayPal users beware: there’s a cunning new phishing scam circulating that’s fooling people into giving away sensitive personal information—including Social Security numbers, home addresses, and even passwords.
Here’s how the scam is executed:
1. Convincing (Yet Fake) Emails
You may receive an email that mimics the PayPal logo, language style, and other attributes, such as this:
One important clue is that there are numerous errors in grammar/syntax, suggesting that English is not the writer’s first language.
If one is fooled by the content of the email, and clicks the “Log In” button, instead of being taken to an official PayPal website, they are directed to an unverified URL, which can look something like this:
From there, you may be taken to a landing page at this address:
From here, you are provided with a fake login screen which, of course, requires you to input your username/email and password—doing so is akin to handing over your login credentials right into the hands of scammers.
Note that the above URL has essentially no relationship to the normal/official PayPal web address, which is usually a sure sign you’ve taken a phishers’ bait.
Next you will be forwarded to a page that corroborates the information in the email you received, lending credence for the process:
As if that wasn’t enough, however, the scam will only continue to prompt you for further personal information, directing you to a page that looks like this:
Notice that they include a disclaimer, complete with a “caution” symbol, stating that you must “Complete the steps listed to restore your account access.”
Despite the increasing complexity and apparent authenticity of these phishing scams, there are some basic steps you can take to protect yourself:
1) Avoid Opening Unsolicited Emails
Do not click, or open attachments from, unsolicited emails. If the message implores you to click the link to solve a problem on your account, open up a new internet window/tab and log directly into PayPal using their official website.
2) Verify URLs
No matter how cunning phishing scams get, one thing they can never replicate completely is PayPal’s official URL. So always consider whether or not the link you are clicking is taking you to the exact https://www.paypal.com/, as opposed to something that looks similar, but not exact.
3) Alternative Password Security
Using the exact same password across multiple sites can make things much easier for phishing. So, instead, consider using two-fact authentication (2FA). This will prompt a one-time password in your smartphone as a second-layer of authentication, which serves to prevent unauthorized accessibility.