New PayPal Phishing Attack Exposes Vulnerability, No “Phish” Needed
PayPal users are being warned about a new type of phishing scam that is anything but traditional. While phishing attacks have become increasingly sophisticated over the years, a new wave of “no-phish phishing attacks” is catching even seasoned security experts off guard. These attacks exploit legitimate features within PayPal, leaving users vulnerable to online fraud without the usual signs of phishing. The most recent warning comes from Fortiguard’s Chief Information Security Officer, Dr. Carl Windsor, who discovered the malicious campaign when he was targeted himself.
So, what makes this attack different from others? The main twist here is that the attackers don’t rely on typical phishing tactics, such as fake emails or suspicious links. Instead, they use genuine features within PayPal’s platform. The attack starts with an email that looks entirely legitimate—sent from a valid PayPal email address, with no obvious signs of spoofing. The link within the email leads to a legitimate PayPal login page, but the trick is that the payment request is addressed to an unusual email that’s linked to the attacker, not the victim. This cleverly bypasses traditional security filters that would normally flag phishing attempts.
For example, in one case, Dr. Windsor received an email that appeared to come from PayPal, requesting a payment of over $2,000. At first glance, the email seemed normal. However, upon closer inspection, he noticed that the recipient address didn’t match his own email. The scammer had exploited Microsoft 365’s test domain feature to create a distribution list with a seemingly innocent domain. This made the email pass through normal security checks, making it hard for both users and email filters to detect the fraud.
Also Read:- UFC Fight Night: Dern vs. Ribas 2 – Thrills, Finishes, and Rising Stars Shine in Las Vegas
- Ex-Labour MP Ivor Caplin Arrested After Controversial Comments on Elon Musk
If the victim clicks on the link in the email, they’re redirected to PayPal’s login page, where they might unknowingly log in, believing it’s a legitimate request. Unfortunately, this would give the attackers access to their PayPal account, potentially leading to a complete account takeover.
Experts in the cybersecurity field, such as Elad Luz from Oasis Security, have pointed out how this attack is different from regular phishing scams. Since the attackers use a trusted feature and send emails from verified sources, it’s harder for email filters and mailbox providers to distinguish this scam from legitimate communications. This stealthy approach allows attackers to evade detection and successfully deceive victims.
To avoid falling victim to these types of attacks, security experts suggest that the best defense is awareness. As Dr. Windsor emphasizes, the "human firewall" is crucial—meaning that users should be extremely cautious about unsolicited emails, even if they appear genuine. If you receive an unexpected payment request, especially from a service like PayPal, it’s always best to double-check directly with the company via their official channels, rather than clicking on any link in the email.
PayPal itself has acknowledged the growing threat and encourages users to remain vigilant, especially during the busy holiday season when scammers are most active. They recommend enabling two-factor authentication for added security and remind users to report any suspicious emails to PayPal’s security team. Customers are also urged not to click on unexpected links or share personal information with anyone they don’t trust.
So, while phishing may be the most well-known threat in the world of cybercrime, the emergence of these “no-phish phishing” attacks highlights the evolving nature of online scams. As attackers continue to exploit legitimate features and services, it's essential for users to stay informed and practice caution to protect themselves from becoming victims.
Read More:
0 Comments