Phishing for selfies: A brazen new PayPal scam

Phishing for selfies: A brazen new PayPal scam

A brand new phishing scam has been discovered which encourages victims to upload photos of themselves in order to ‘confirm’ their identities.

The scam – which has yet to be officially named – sees cyber criminals send emails purporting to be from PayPal, warning users that their accounts have been compromised. When a user clicks through from the email, they are directed to a page that has been designed to look exactly like the PayPal login screen.

After signing in with their username and password, users are then presented with another screen (replete with PayPal branding) asking for their account details. Under the heading ‘verify your account’, it asks for an address and banking details.

Where this gets most interesting, however, is the next screen. Presuming that anyone who hasn’t worked out it’s a scam by this point may be gullible enough to be tested further, the scammers ask for a photo to be uploaded, where the user holds up two cards: one form of ID and one bank card. To make the ruse that bit more believable, it even has two example images, showing how to and how not to do it.

Any users that submit their photographs are then simply redirected to the actual PayPal site, in the hope this final move will mean they won’t suspect a thing.

It appears that the cybercriminal behind this scam is just as interested in the images as the bank details – if not more so. In delving into the code, phishme.com noted an “unusual level of detail” on the photo upload page, with many input validations that differentiate it from less tech-savvy scams. For example, it says that images must be submitted as JPEG or PNG files, and will even return an error message for those which are not.

As with this phishing scam and all others, PhishMe reiterated its advice to always go direct to the website in question. Instead of clicking on a link within an email, users should navigate to the website through their URL bar and log in that way. If the email is genuine, they can still resolve any issues; if it’s not, no harm is done.

Published On: June 28, 2017/By /Categories: All news items, Security, Web Privacy/
Go to Top