If you purchase via links on our site, we may receive affiliate commissions.

PayPal accounts used in phishing scam

Updated on: 03 August 2022

Damien Black
Senior Journalist

Image by Shutterstock

Threat actors have been using legitimate accounts with the online payment giant to augment their social engineering ploys, says cyber-researcher Avanan.

The analyst says it first spotted black-hat hackers using PayPal accounts to send “malicious invoices and request payments” in June.

“The hackers send the email from PayPal’s domain, using a free PayPal account that they have signed up for, with the email body spoofing brands like Norton,” said Avanan.

This appears to be a two-pronged phishing attack, in which PayPal and another established company name are used and abused to allay a victim’s suspicion. What makes it more unsettling is the fact that the former is technically a legitimate account and not a spoofed version.

“Hackers are using a combination of social engineering and legitimate domains to extract money and credentials from end-users,” said Avanan, pointing out that this campaign is redolent of a similar one spotted last month, in which authentic accounts with software provider QuickBooks were employed to send bogus demands for payment.

“PayPal and QuickBooks are particularly clever since they are often used for business invoices,” said Avanan, adding that what makes the scam effective is static email “allow lists” that permit content from such reputable providers to go directly to an inbox.

“Trusted websites like PayPal often make the cut, even if it is an oft-impersonated brand,” said Avanan. “What makes this attack scary is that the phishing invoices are created and sent through PayPal. That makes it [seem] more legitimate to the security service and to the end-user.”

The net result is a successful “double spear” attack, in which cybercriminals get a victim both to pay out on a fake invoice and call a telephone number as directed to in the phony email.

“Not only do they have your email, they have your phone number, which can be used for future attacks,” said Avanan. “And, of course, they have your money.”