Fraudsters have launched a phishing campaign that exploits PayPal address settings to trick users into accessing their accounts. The emails appear to come from real PayPal addresses and bypass spam filters. Here’s how to protect yourself from this scheme.
Fraudsters have launched a phishing campaign that exploits PayPal address settings to trick users into accessing their accounts. The emails appear to come from real PayPal addresses and bypass spam filters. Here’s how to protect yourself from this scheme.
According to BleepingComputer, the editorial staff of the publication and many other users have recently received emails from PayPal with the message: «You have added a new address. This is just a quick confirmation that you have added an address to your PayPal account».
The email contains a new address that has allegedly been added to the user’s PayPal account, as well as a message that purports to be a confirmation of the purchase of a MacBook M4 and a request to call the PayPal number provided if this is not an authorized purchase.
«Confirmation: Your shipping address for the MacBook M4 Max 1TB ($1098.95) has been changed. If you did not authorize this update, please contact PayPal at the number,» the scam email states.
The emails are sent directly to PayPal from the address «[email protected],» which has led people to worry that their accounts have been hacked. However, those who received the email have confirmed that no new addresses have actually been added to their accounts. Sometimes, the emails even arrive at email addresses that are not associated with a PayPal account.
Additionally, because these emails are sent from genuine PayPal emails, they bypass security and spam filters.
The purpose of these emails is to make the recipient believe that their account has been hacked to purchase a MacBook and scare them into calling the scammer’s «PayPal support» phone number.
When calling this number, a recording will automatically play stating that the user has called PayPal support and asking them to wait until a support representative arrives. They will then attempt to connect them with a «support representative.»
The scammer will try to scare the victim that their account has been hacked and convince them to download and run software to «help» restore access to the account and block the alleged transaction.
The scammer will redirect you to a site like pplassist[.]com, where you will be asked to enter a service code provided by a fake PayPal employee. Entering this code will download the ConnectWise ScreenConnect [VirusTotal] client from lokermy.numaduliton[.]icu or other sites that the scammer will ask you to run.
When an attacker gains access to a computer, they will try to steal money from bank accounts, run malware, or steal data from the computer.
If a user receives a genuine email from PayPal asking them to update their address and it contains a fake purchase confirmation, they should simply ignore it and not contact the phone number provided, as it belongs to a scammer.
Instead, you need to log into your PayPal account and make sure no additional addresses have been added, and if not, delete this email.
The fraudulent emails are sent from the genuine PayPal service@paypal[.]com email address on the company’s mail server and pass the DKIM email security check.
In such emails, there is a note at the bottom: «If you want to link your credit card to this address or make it your primary address, log in to your PayPal account and go to your profile. Since this address is a gift address, you can send packages to it with one click».
During testing, BleepingComputer added a new address to one of our accounts and inserted a fake scammer’s message confirming the purchase of a MacBook into the Address 2 field.
After saving the address, PayPal sent us the same confirmation email, notifying us of the new address we had added, which also contained a fake purchase notification.
