PayPal is one of the largest online payment processors in the world. It effectively acts as a ‘middleman’ between buyers and sellers, enabling users to transfer money safely through its digital platform.
It has become a hugely popular service that has amassed a global customer base of 277 million people. Unfortunately, with this success comes downsides, and the company has also become one of the most heavily targeted brands for phishing attacks.
Like most other major online financial services providers, PayPal uses a range of security tools like data encryption and anti-fraud technology to protect its users from fraud and prevent scams. However, criminals keen to exploit this global mass market have found cunning ways to get around these security measures.
PayPal scams come in many different forms and typically include phishing emails, spoofed websites, suspicious links and malicious posts on social media. They are designed to look like official correspondence from the company and the aim is to trick as many users as possible into disclosing sensitive information.
New variations of these scams are emerging all the time, but we’ve listed 4 of the most common PayPal scams you’re likely to encounter.
Scam 1: Phishing emails - A problem with your account
This is the most common type of PayPal scam used to trick people into clicking on malicious links. Fraudsters will send you an email to warn you about a problem on your account. Different variations of this may include ‘Your account is about to be suspended’, ‘verify your account’ or ‘suspicious activity has been detected on your account’. All are used to illicit an immediate response and the link will either infect your device with malware or it will direct you to a phishing website that has been set up to harvest your details.
Image: PayPal Phishing email (Source: CSO Online)
Scam 2: Phishing website
Once the fraudsters have successfully tricked you into clicking a malicious link, the next stage will be to convince you that you’re on PayPal’s official website. A lot of effort will go into making the page seem as credible as possible and it may appear almost indistinguishable from the real thing. The criminals will use the same branding, colours and wording that is on the official site, and by replicating all these details, they hope that users will not question the validity of the site.
Image: Fake PayPal Phishing website (Source: Cisco)
Scam 3: Social Media PayPal Scams
In recent years there has been a steep increase in the number of PayPal scams on social media. These phishing scams will often take the form of promoted or shared social media posts, and the ultimate goal will be to direct you to a phishing website where you will be asked to submit your personal details. In January this year, fraudsters managed to push a similar scam on Twitter, where they bought ad space on the platform and pretended to be an official Twitter employee offering users the chance to enter a Twitter sponsored sweepstake.
Image: Fake PayPal promotion Twitter (Source: Digital Information World)
Scam 3: You’re a prize winner
You may receive an email informing that you that you've won a prize but in order to receive it, you need to pay a small handling fee. One of the major red flags should be if you’ve won a prize for a competition you’ve never entered. PayPal have advised customers that a legitimate prize would never ask you to pay to receive it and that you should never send money to someone you don’t know.
Image: Fake prize winner pop up (Source: Fix your browser)
1. The email address
An official email from PayPal will always come from paypal.com. Check the sender’s email address by clicking on the address bar and if the email address does not originate from the official domain, then it’s likely to be a fake.
2. Generic greetings
Fake PayPal emails will tend to use impersonal, generic greetings such as, ‘Dear Customer’ or ‘Dear User’. If PayPal was sending you an official email they would always address you by your first and last name or by your business name.
3. A sense of urgency
Like all phishing scams, the intention is to get the user to act quickly without thinking logically about the request. The emails will often warn that your account needs to be updated immediately or that suspicious activity has been detected on your account. The fraudsters hope that you will ignore any warning signs and act swiftly to resolve any account issues. PayPal have advised that if there was an urgent matter on your account, further information could be found by logging into your account through the official website.
4. Asks you to click on links or attachments
You should always pay close attention to an email that asks you to click on a link or download an attachment. PayPal will never send customers emails with attachments or links to download software. A link could appear entirely legitimate but will direct you to a phishing website that will steal your data or infect your device with malware. Even if the URL contains the word ‘PayPal’, it may not be an official PayPal webpage. Hover your mouse over the link to see its true destination and if you are in anyway dubious about its authenticity then don’t click.
5. Requests for personal or financial information
Th ultimate aim of these scams is to con you out of money or steal your personal information. If you receive an email requesting this sensitive information, then alarm bells should be ringing. PayPal will never send customers an email asking them to supply their full name, bank account number, password or provide answers to security questions.
6. Poor spelling and grammar
Spelling and grammar mistakes are often one of the easiest ways to determine if an email is a fake. Huge multinational organisations such as PayPal will have copywriters that will proof every single piece of correspondence the company puts out. Official emails will never be sent to customers that are littered with spelling mistakes.
If you suspect you’ve received a phishing email, the best course of action is to forward it directly to PayPal and they will investigate the matter further. The company has set up a specific email address that users can forward any suspicious emails to. The address is: firstname.lastname@example.org. You should avoid altering the subject line or sending the message as an attachment. As soon as the message has been sent, you should immediately delete the email from your inbox.
It’s also worthwhile reporting the scam to the internet service provider that was used to send the email. For example, if the scam email came from a Yahoo account, you should send it to email@example.com, or if the email was sent via Gmail, there is a ‘Report Spam’ button, and in Hotmail there is a ‘Report Phishing button’. The internet provider will then investigate and close the account the email was sent from.
Despite the increasing sophistication of phishing attacks there are a number of ways you can protect yourself online. MetaPhish has been specifically designed to protect businesses from phishing and ransomware attacks and provides the first line of defence in combatting cyber-crime. Get in touch or further information on how we can help your business.