Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    PayPal Phishing for Passports and More

    PayPal_LogoAn ongoing PayPal phishing campaign is trying to steal a wide range of personal information, including Social Security numbers and passport photos, Threatpost reports. The scams were discovered by Czech IT company ALEF NULA, which noted that the scam is notable for the breadth of data it requests.

    The phishing messages inform the recipient that their PayPal account has been locked because a new device logged into it. The recipient is asked to log in to their account and update their info. The link in the message is a Bit.ly URL that redirects the user to the phishing site.

    The first two pages on the phishing site are standard forms asking for users’ names, addresses, phone numbers, and payment card details. The next page asks for the user’s date of birth and Social Security number, and the final page tells them to upload a photo of their passport.

    Jan Kopriva at ALEF NULA explained that this is a common strategy in modern phishing scams.

    “Over the years, phishing authors seem to have learned that once they hook a phish, they should try to get all the information they can from them,” Kopriva said. “This is the reason why many current campaigns don’t stop after getting the usual credit card information, but go further.”

    Kopriva also noted that the way the page is laid out might compel users to upload even more information than the attackers are after.

    “What might be a bit unfortunate from the standpoint of a potential victim is that after the user uploads a file, the page is refreshed but no confirmation is displayed,” Kopriva said. “This means that a less vigilant user might upload multiple photos of documents while thinking that their previous attempts were invalid for some reason.”

    This campaign can be easily avoided by someone who knows what to look for. The initial email contains numerous grammatical errors, and the URL of the phishing site doesn’t even attempt to spoof PayPal’s real address. New-school security awareness training can help your employees recognize these types of irregularities.

    Threatpost has the story: https://threatpost.com/active-paypal-phishing-scam-targets-ssns-passport-photos/152755/

     

    Return To KnowBe4 Security Blog

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    PST ResultsHere's how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry

    Go Phishing Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/phishing-security-test-offer

    Topics: Phishing, Security Awareness Training

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews