New PayPal phishing campaign is stealing credit card info — what you need to know

PayPal logo on a smartphone against a blurred background
(Image credit: Shutterstock)

The cybercriminals behind a new phishing campaign are impersonating PayPal by sending out fake order confirmations in an attempt to steal credit card information from unsuspecting users.

Back in November of last year, security researchers from the Check Point-owned email security firm Avanan spotted a similar campaign that spoofed Amazon. These attacks were successful because they used legitimate Amazon links and forced users to make a phone call to cancel their fake orders.

Now Avanan has discovered a similar phishing campaign that impersonates PayPal but once again has users call the attackers themselves in an attempt to cancel a cryptocurrency order placed on the payments platform. However, instead of cancelling the fake order, phone numbers are harvested for future attacks and a user’s banking information can also be stolen as well.

If you’ve received any suspicious emails from PayPal recently, this is what you need to know to avoid falling victim to this scam.

Using fake PayPal order confirmation emails as a lure

Woman talking on the phone looking at a laptop

(Image credit: René Ranisch/Unsplash)

In this new phishing campaign, the attackers first send out what looks like a PayPal order confirmation informing potential victims that they purchased over $500 worth of Dogecoin. If they want to cancel the order, a customer support number is provided at the bottom of the email.

While calling the number may seem like the right thing to do, it actually isn’t as the cybercriminals behind this scheme can use your phone number to carry out other cyberattacks through text messages, calls or WhatsApp messages. As Avanan’s researchers point out in a blog post: “Just one successful attack can lead to dozens of other ones."

Although the number listed on the emails seen by the researchers is from Hawaii, those behind this campaign and others like it are typically not based out of places like Hawaii and instead register a phone number to a US-based area code before forwarding calls to an international relay.

The reason this attack works is because there aren’t any links in the body of the email sent out to users. As a result, the message is able to bypass email security filters and end up in the inboxes of potential victims.

How to avoid falling victim to this scam and others like it

In order to avoid this new PayPal phishing campaign, Avanan recommends that users first look at the sender’s email address to make sure it’s legitimate. From here, they should check their PayPal account where they’ll see that the order in question is not in their account. This is easy to do as the cybercriminals provide a transaction ID and date which won’t appear in your PayPal order history.

It’s also worth noting that cybercriminals frequently impersonate major online retailers like Amazon and payment services like PayPal. If you have a legitimate email from one of these companies saved in your inbox, it’s easy to compare the two to see if they have similar addresses, formatting, etc. At the same time, you should always be on the lookout for spelling and grammatical errors as these are a big red flag and often make it easy to spot phishing emails.

Finally, you should always exercise caution when calling a number from an email. If you do decide to call, never provide your banking and payment information over the phone as no legitimate company would ever ask you to do so.

Next: Don’t fall for these holiday scams — get your last minute shopping done safely.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.