PayPal Phishing — Using Real Accounts

PayPal is a favorite target for phishing scams. Some cyberthieves try to get at your account; others hope to get your money into theirs. PayPal warns its users about these tricks and gives instructions for forwarding suspicious email.


The traditional phishing attack follows a standard pattern. An email tells you that your account has been compromised, that someone is sending you money, or that you can get a special deal, and it urges you to click a link. It takes you to a bogus site that will grab your login credentials.

One of the earliest phishing schemes targeted PayPal users back in 2000. A Russian criminal set up the site, with a capital “I” as in “India” instead of an “l” as in Lincoln. In some fonts, the names are almost impossible to tell apart, and the fake site looked just like PayPal’s.

As people catch on to old scams, new ones arise. Some of them use authentic PayPal accounts. Some are throwaway accounts, which the holders use to grab money till they’re terminated. Some might be legitimate accounts that crooks have hijacked.

Proofpoint has discovered a scam that uses email from real PayPal accounts. It gets you two ways. First, it asks you for money; second, it gives you a link to a malicious website. It tries to download a JavaScript file, which, if you run it, will download a Trojan called Chthonic, which usually goes after banking institutions.

Since the mail comes from PayPal, spam filters aren’t likely to block it. This scam doesn’t seem to have hit a lot of people, but it shows that even if your mail comes from, you can’t always trust it. Anyone with a PayPal account can ask you for money.

Another trick connects you to the real PayPal site, but the email sets up a JavaScript filter so that the phisher snags your credentials when you log in. You see in the browser’s address bar, and the connection is a secure one, so everything seems OK — but the scammer is grabbing your information before it’s encrypted and sent over the internet.

Emails with overblown threats and bad writing are generally fake. One of them warns: “It is indispensable to perform an audit of your data is present, otherwise your Account will be destroyed. … We requests verification whenever an email address is selected as an Account PayPal.” “We requests?” Gollum must have taken up phishing.

If you get a dubious email relating to PayPal, log in directly to your account instead of following the link in the email. If there’s no notification about the issue, the mail is probably fake. If the email is generic and doesn’t name you or your business, that’s another reason for suspicion.

If you get .JS or .EXE files in your email, never open them unless you’re expecting them and are sure of the sender. Make certain that your system settings let you see file extensions. File names may be prettier when they don’t have a .DOC or .PDF at the end, but hiding that information leaves your business vulnerable to attacks. Be triply cautious with anything related to PayPal or other financial institutions.

Centerpoint IT is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks and news. Contact us at (404) 781-0200 or send us an email at for more information.