A newly discovered phishing campaign sees cybercriminals impersonating (opens in new tab) PayPal as they try to scare victims into giving away sensitive information.
Cybersecurity researchers from email security company Avanan recently spotted a new campaign that has so far been, relatively successful due to the fact that it doesn’t carry any links.
Usually, phishing works by redirecting people to malicious websites, via links shared in an email. In this campaign, however, there are no links present in the emails, which renders most email security solutions useless.
Two possible scenarios
It starts in a similar fashion to all other campaigns – the victim will get an email, claiming to be from PayPal, saying they’ve purchased $500 worth of Dogecoin, and that if they want to cancel the order, they should call the number provided further below.
While we don’t know what happens should a victim actually call that number, there are two possibilities. Either the attackers try and persuade the victims into giving away sensitive information (for example, PayPal login data, or credit card info), or they “cancel” the pending Dogecoin order and go about their day.
In the latter scenario, what the attackers walk away with is the victim’s phone number, which can then be used to mount a more serious attack.
“Just one successful attack can lead to dozens of other ones,” the researchers said.
The phone number listed in the email is located in Hawaii, the researchers have found, but chances are, it’s just a routing number, and the actual threat actors are located elsewhere.
Major companies, such as PayPal, or Microsoft, are often impersonated by threat actors trying to scam people. To stay safe, it is important to always double-check the email address of the sender, make sure the email doesn’t have any suspicious typos or spelling errors, and make sure not to click any links, or download any attachments.
The attachments are most likely viruses (opens in new tab)or other forms of malware (opens in new tab).
Most major companies have instant messaging customer support, as well as social media accounts, which can be used to verify whether or not they’d really sent out the email or not.
