Cybercriminals Send Fake PayPal Security Alert from Spoofed Address to Steal Account Details
In this phishing attack, cybercriminals impersonate PayPal and send the target a security notice regarding their account. Using the spoofed sender address that mimics a legitimate PayPal address, “services@pyapal[.]com” and impersonated PayPal branding, the attacker claims there is inaccurate or unverified data associated with the recipient’s account. The target is instructed to use the provided link to review and update their account information in order to continue using the service. To manufacture a sense of urgency, the message warns that failure to act within 24 hours may result in account restrictions. Should the recipient click the button labeled “Update Information”, they will be redirected to a phishing site designed to steal credentials or other sensitive information.
Older, legacy email security tools struggle to accurately identify this email as an attack because it uses legitimate links, doesn’t have any attachments, and includes impersonated contact information. Modern, AI-powered email security solutions flag that the sender is using a spoofed address, detect the presence of links leading to suspicious domains, and recognize that the sender’s domain does not match any of the domains provided within the message to correctly identify this email as an attack.
To defend against these types of attacks, employees should avoid clicking on links in unsolicited account notices and instead log into PayPal directly through its official website. Security awareness training and the deployment of advanced email threat detection tools remain critical for preventing credential theft and impersonation attacks.
Phishing attempt disguised as a fake PayPal security notification
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks due to its legitimate structure.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Legitimate-Looking Contact Information: The email includes contact numbers, giving the appearance of legitimacy that can bypass heuristic filtering.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Spoofed Sender Detection: Abnormal detects and flags discrepancies between the displayed sender information and the actual sender details to identify spoofing attempts.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Unusual Sending Behavior: The sender domain does not match any of the domains found in the body links, raising suspicion.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.