The chief information security officer at cybersecurity company Fortiguard has raised concerns after encountering a new type of “no-phish” phishing threat using legitimate PayPal mechanisms.
In a blog post, Carl Windsor reported receiving an email that appeared to be from PayPal, complete with a valid sender address. The email requested money through the platform’s money request feature. While both the email and URL were legitimate, the only anomaly was that the “to:” address field in the email was not addressed to him; instead, it was addressed to a free Microsoft 365 test domain.
If a user responded to the email, they were directed to the PayPal site, where everything appeared to be a valid money request from that point onward.
“The PayPal phish-free phishing attack shows just how crafty cybercriminals have become with social engineering scams,” said Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research. “Closely following advice given to consumers from FIs, fintechs, and other major financial industry leaders allows these scammers to circumvent the usual red flags consumers are told to look for when determining the legitimacy of a transaction request. Consumers are primarily the first line of defense when it comes to scams, so when everything seemingly checks out and looks legitimate, it’s an easy decision to move forward with the transaction.”
Mimicking Tactics
It’s a common tactic for criminals to send phishing communications that mimic those used by major corporations like PayPal. However, most impersonation scams direct the target to either click on a link to a false website or call a fraudulent number.
What makes the PayPal “no-phish” scam unique is that it directs users to the legitimate PayPal site, but exploits a vulnerability in the platform. Windsor reported that the payment request was for $2,185.96, an amount small enough that it might not raise suspicion in many corporations.
A Human Firewall
Phishing attacks have become more common and increasingly sophisticated. Criminals are leveraging more convincing technology, including AI, to create scams that are harder to identify. To combat this, Windsor wrote that the best solution to complex fraud attacks is the “human firewall”—meaning that the recipient has been trained to disregard or double-check any email that hasn’t been specifically requested.
However, most user education focuses on detecting emails from suspicious sources. The fact that the phishing attempt against Windsor used the genuine PayPal site means the threat is much harder to detect.
“This is, once again, a prime example of never clicking on a link in an email, even if it appears to be legitimate,” Sando said. “The best advice FIs and customer-facing financial services organizations can give to their customers is to bypass clicking on any links in an email or text message, and log into their account to directly address any transaction requests, fraud alerts, etc.”