How to Spot the New PayPal Email Scam
Welcome to Your Password Sucks, the Daily Dot newsletter that answers all your internet security-related questions. Today, we're here to warn you about a new phishing attack tricking people online into downloading malware.
The attackers are carrying it out with what appears to be PayPal's official email address, making it highly convincing. But this isn't just any scam. The scammers are using a technique that makes it difficult for victims to distinguish between legitimate and fraudulent emails.
The scam starts with an email from service@paypal.com that claims a new mailing address has been added to your account, even though one hasn't. The email also claims that a purchase has been made for an expensive item, usually a MacBook, and that it will be sent to the updated mailing address, making it appear as if your account was hacked and used by someone else.
The email further instructs you to call PayPal at a toll-free number listed in the message, claiming that you should immediately do so. However, this is where things get suspicious. The vast majority of tech companies will never ask you to call them. Anytime an email asks you to call, immediately go to the company's official website and reach out to their support team to relay your suspicions.
If you call the number, a scammer will ask you to download software to fix the hack. While many savvy internet users might catch on at this point, others might not, especially given the legit appearing email address. If you were to download the software from the fraudulent PayPal support, it would unleash malware on your computer that could steal everything from personal to financial information.
So, how exactly does this scam work? Or more specifically, how are they using what looks to be an official PayPal email address?
According to Bleeping Computer, it turns out you can add multiple home addresses to your PayPal account. The scammers were simply typing their message about a fraudulent purchase in the "Address 2 field" on their own account where you add an apartment number, for example.
From there, they forward the legitimate message from PayPal about the new mailing address to a second email address that automatically sends anything it receives out to recipients on a giant mailing list. In other words, their targets. This shows that emails coming from a company's official address could be deceptive.
Most importantly, if it feels funny, trust your instincts. Don't fall for this scam by downloading malware or revealing sensitive information.