A Snap trap: Fake Paypal email scam asks victims to take selfie, steals credit card and identity info

SmartCompany, June 20, 2017

Business owners are likely to be familiar with classic email phishing scams asking for things like login credentials, credit card details, or payment to renew a company name, but a recent attack impersonating Paypal has stepped it up a notch by asking for selfies.

The attack, uncovered by email security company PhishMe, started with an email sent to recipients worldwide, telling users their accounts had been compromised and that action was required.

Users are then invited to follow a link, which then leads to a knockoff Paypal login page which is an almost perfect replica of the real login page. After entering their credentials into the fraudulent login system, users are then asked to enter their home address and credit card number in the subsequent screen.

The crafty scam doesn’t stop there. After successfully nabbing users’ Paypal login, home address, and credit card number, the attack goes one step further by asking users to upload a selfie of themselves holding a form of ID such as their driver’s license.

After completing the numerous steps, the victim is then redirected to the real Paypal website.

The details harvested by the attack are comprehensive enough for a cyber criminal to sign up to services like online cryptocurrency trading exchanges, which often require stringent ID checks via photo proof.

PhishMe speculates the criminal could be using the harvested details from this scam to sign up to exchanges, potentially siphoning money from the victim’s Paypal account online to convert it to a highly anonymous currency like Bitcoin or Ethereum.

Cyber security expert at Sense of Security Michael McKinnon tells SmartCompany the high value and relative anonymity of cryptocurrencies have spurred on recent attacks like this one.

“With the value of crypto increasing the way it is, it’s driving a lot of this type of innovation in these scams. We’re going to see a ramp up in connecting these sort of attacks with ways to get cryptocurrency,” he says.

A recent example of this was the stealthy Adylkuzz attack which placed itself silently on users’ computers and used a series of complex calculations to successfully “mine” a currency known as Monero.

Outside of the money-grabbing aspect of this attack, McKinnon warns the credentials stolen by the criminal in this scenario could be used for all sorts of nefarious deeds.

“Identity is everything these days. It could be used to apply for bank loans, credit cards, and to get verified with various different transaction websites,” he says.

“And if someone uses your identity to do something illegal, you’ve got a whole other set of consequences that are going to come down on you.”

“On top of that, you’ve given them your Paypal username and password, so there’s a good chance even while you’re taking the picture with your webcam your accounts are being drained in the background.”

McKinnon warns businesses against getting click-happy when it comes to emails and recommends not following any links in emails, even if they appear legitimate.

“The best approach with phishing attacks is to never begin the process in the first place, never do anything directly from an email,” he says.

“If you get one from Paypal, take notice of it, delete the email, and go to the legitimate Paypal website and check from there.”

As further advice, Paypal advises it will never address customers by “Dear valued customer” or “Dear buyer”. Instead, legitimate emails from the company will always include your first and last name.

“An email from PayPal won’t ask you to send sensitive information like your password, bank account, or credit card. If information is required to confirm or maintain your account, you will be asked to visit PayPal.com a to log into your account securely,” the company says on its website.

Paypal asks any suspicious emails to be forwarded to spoof@paypal.com. Further tips on spotting scams from the company are available here.