It’s the season of giving, which means internet scams are practically everywhere, as cybercriminals are trying to trick eager holiday shoppers. So, it’s unsurprising that yet another scam has emerged, this time targeting millions of PayPal users with manipulative phishing emails. The emails, which are intended to look like they’re from customer support, are trying to convince users to validate fake transactions.
How it works
This phishing scam does a pretty good job at seeming believable. The email leverages the PayPal logo and the sender’s address appears to be service@paypal.com. Additionally, an order number is referenced and the message claims that the user needs to click a link in order to verify the transaction. The order number is entirely fake, and the link actually leads users to epauypal.com.
From there, victims are lead through an authentication process that asks for name, date of birth, address, mother’s maiden name, and a credit card number. What’s more — the site has a valid SSL certificate, which is the green lock icon in the corner of your browser that indicates that you are connected to the address shown in the address bar.
How to stay protected
Fortunately, there are a few key indicators that reveal the scam’s true colors. First off, the header bar on epauypal.com is missing a “help” link. There’s also no alarm bell for notifications or a gear icon that you can use to update your settings. Plus, normal verification procedures don’t typically involve an additional form like the one from epauypal.com. So be sure to keep an eye out for all these red flags.
However, beyond staying aware of these indicators, there are a few other things users can do to stay protected from this malicious phishing scam:
- Go directly to the source. This scam could be easily avoided if users simply go directly to the PayPal website. It’s a good security rule of thumb: when an email comes through requesting personal info, always go directly to the company’s website to be sure you’re working with the real deal.
- Be careful what you click on. Be sure to only click on emails that you are sure came from a trusted source. If you don’t know the sender, or the email’s content doesn’t seem familiar, remain wary and avoid interacting with the message.
- Place a fraud alert. If you know your data has been compromised by this attack, be sure to place a fraud alert on your credit so that any new or recent requests undergo scrutiny. It’s important to note that this also entitles you to extra copies of your credit report so you can check for anything sketchy. And if you find an account you did not open, make sure you report it to the police or Federal Trade Commission, as well as the creditor involved so you can put an end to the fraudulent account.
- Stay secure while you browse. Sometimes it’s hard to identify whether a website, such as epauypal.com, is full of malicious activity or is being operated by a cybercriminal. So, add an extra layer of security to your browser, and surf the web safely by utilizing McAfee WebAdvisor.
