A newly discovered phishing campaign sees cybercriminals impersonating PayPal as they try to scare victims into giving away sensitive information.
Cybersecurity researchers from email security company Avanan recently spotted a new campaign that has so far been, relatively successful due to the fact that it doesn’t carry any links.
Usually, phishing works by redirecting people to malicious websites, via links shared in an email. In this campaign, however, there are no links present in the emails, which renders most email security solutions useless.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
Two possible scenarios
It starts in a similar fashion to all other campaigns - the victim will get an email, claiming to be from PayPal, saying they’ve purchased $500 worth of Dogecoin, and that if they want to cancel the order, they should call the number provided further below.
While we don’t know what happens should a victim actually call that number, there are two possibilities. Either the attackers try and persuade the victims into giving away sensitive information (for example, PayPal login data, or credit card info), or they “cancel” the pending Dogecoin order and go about their day.
In the latter scenario, what the attackers walk away with is the victim’s phone number, which can then be used to mount a more serious attack.
“Just one successful attack can lead to dozens of other ones,” the researchers said.
The phone number listed in the email is located in Hawaii, the researchers have found, but chances are, it’s just a routing number, and the actual threat actors are located elsewhere.
Major companies, such as PayPal, or Microsoft, are often impersonated by threat actors trying to scam people. To stay safe, it is important to always double-check the email address of the sender, make sure the email doesn’t have any suspicious typos or spelling errors, and make sure not to click any links, or download any attachments.
Most major companies have instant messaging customer support, as well as social media accounts, which can be used to verify whether or not they’d really sent out the email or not.
Via: Tom's Guide
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.