Update, Jan. 11, 2025: This story, originally published Jan. 9, now includes comments from a number of security experts as well as a statement from PayPal and further background information regarding phishing mitigation for users.
When is a phishing attack not a phishing attack? That is the question posed by Fortiguard’s chief information security officer after he was targeted by a new attack using a legitimate PayPal feature from a legitimate address with a seemingly legitimate URL as well. Here’s what you need to know about the “phish-free” PayPal phishing attack.
The Evolution Of Phishing Attacks—PayPal Users Now In The Crosshairs
Phishing attacks are getting ever more clever in their approach, as a recent news article highlighting how genuine Google security prompts are being used to scam victims to give up their account credentials revealed. While the do-not-click advice is, as always, the baseline for anti-phishing best practices, it’s no longer good enough when legitimate features are being exploited by hackers in no-phish phishing attackers. Let this example of just such an attack, using legitimate PayPal functionality, be a warning to you: if the CISO of a security company thinks it’s highly dangerous then so should you.
“A genuine email can’t still be a problem, can it?” That’s the question that Fortiguard chief information security officer, Dr. Carl Windsor, posed in a new warning posted to the Fortiguard Labs Threat Research blog, Jan. 8. Reporting how the email in question, purporting to be from PayPal and “the sender address appears to be valid and not spoofed,” and using a genuine PayPal money request feature, could fool his mother, the standard test he uses in such circumstances, Windsor warned that the attack “doesn’t use traditional phishing methods.” In fairness, it sounds pretty fishy to me so far, but let’s explore further to see what Windsor means.
The No-Phish PayPal Phishing Scam
“The email, the URLs, and everything else is perfectly valid,” Windsor explained, and when you click on the link (don’t do that,) the victim is redirected to a PayPal login page showing a request for payment. The trick being employed by the attackers here is that your PayPal account address is linked to the address it was sent to rather than the one it was received at. The victim might not notice that the email was addressed to a user who had registered a free Microsoft 365 test domain to create the distribution list that contained the target emails. By then using the legitimate PayPal payment request feature and using this list as the recipient address, everything looked completely legitimate. Apart from the to: address field, which the victim can easily miss unless they happen to be a chief information security officer, or at least you’d hope not. The payment request, in this case, was for $2,185.96 which is large enough to be profitable at scale yet “small” enough not to raise too much suspicion for many corporate targets.
“As a trusted commerce platform, PayPal takes pride in our work to protect our customers from evolving scams and fraud activity, including this common phishing scam,” a PayPal spokesperson said, “We encourage customers to always remain mindful online, especially this time of year, and to visit PayPal.com for additional tips on how to protect themselves.”
Security Experts Speak Out About The Latest PayPal Attacks
A number of security professionals have now spoken out about the latest attack methodology being exploited by these PayPal threat actors. While conceding that standard phishing methods, those that typically require threat actors to craft malicious emails that are delivered to a wide audience, are relatively easy for email platforms to detect and block, that’s not the case with this phishless attack. Elad Luz, head of research at Oasis Security, meanwhile, warned that exploiting a vendor feature and sending from a verified source makes these attacks “difficult for mailbox providers to distinguish from genuine communications, leaving PayPal as potentially the only entity capable of mitigating the issue.” Acknowledging that there would be a trade-off between PayPal delaying transactions to allow more time for detecting fraudulent activity and maintaining customer satisfaction by processing payments promptly, Luz concluded: “I trust PayPal will strike the right balance to address this challenge effectively.”
Experts at managed e-commerce hosting provider Hypermode have also warned of other common PayPal scams that users should be sure to be aware of:
The Problem With Your PayPal Account Scam
A standard support notification phishing trick to leverage the fear of account loss.
The Promotional Offer PayPal Scam
Cash rebates, discounts on future purchases or online vouchers are used as a phishing lure.
The Order Confirmation PayPal Scam
egitimate-looking confirmations of a large purchase direct users to click a link to verify the transaction.
Mitigating The PayPal Phishless Phish Attack
By way of background, PayPal told me that it takes all the necessary steps to protect customers as scammers continually evolve their attack methodologies. This involves a number of things, used in combination, such as manual investigations and technology-led protections. Paypal is also proactive when it comes to limiting accounts and declining transactions that are deemed to be potentially risky. PayPal customers have likely already seen some of these fraud detection technologies in action, such as the fraud reminder notifications and advice that come part-and-parcel with global invoice and peer-to-peer money requests.
“The best solution is the Human Firewall,” Windsor said, “someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look.”
Email is one of the most common vectors for cyberattacks, including phishing, malware, and ransomware, and it’s crucial for companies of all sizes to have a solution that covers email security. “Neglecting email security can expose a company to significant risks, including data breaches, financial losses, and reputational damage,” Spencer Starkey, the executive vice president for the Europe, Middle East and Africa region at SonicWall, said. “A comprehensive email security solution should include features such as spam filtering, malware scanning, link protection, and data loss prevention. By implementing such a solution, companies can protect their employees, customers, and partners from email-based threats and ensure the integrity and confidentiality of their communications.”
Meanwhile, Stephen Kowski, the field chief technology officer at SlashNext Email Security+, said that while it’s not new to observe attackers exploiting distribution lists in unexpected ways, the PayPal twist is a new variation on that theme. “Using neural networks to analyze social graph patterns and other advanced AI techniques in more modern security tools help spot these hidden interactions by analyzing user behaviors more deeply than static filters,” Kowski said, adding “that kind of proactive detection engine recognizes unusual group messaging patterns or requests that slip through basic checks. A thorough inspection of user interaction metadata will catch even this sneaky approach.”
As well as resources detailing how to spot a fake PayPal email and how to keep scammers from gaining access to your PayPal account PayPal advises customers to:
- Remain mindful when being asked to participate in a transaction, particularly with someone they don’t know or to whom they do not owe any money.
- Not pay any unexpected or suspicious invoices or payment requests, but also not respond to those requests in any way, including the sharing of personal information.
- If a customer has shared personal information or clicked links, they should change their account password and contact PayPal as well as their financial institution immediately.
- Enable two-factor authentication.
- Report any phishing emails to the PayPal security team by forwarding them to [email protected] and then deleting them.
