In a recently discovered phishing campaign, cybercriminals pose as PayPal (opens in a new tab) while trying to scare victims into divulging sensitive information.
Cybersecurity researchers at email security firm Avanan recently spotted a new campaign that has been relatively successful so far as it contains no links.
Phishing usually works by redirecting people to malicious websites through links shared in an email. In this campaign, however, there are no links present in the emails, rendering most email security solutions useless.
Two possible scenarios
It starts the same way as all other campaigns: the victim will receive an email, claiming to be from PayPal, saying that they bought €500 worth of Dogecoin, and if they want to cancel the order, they need to call the number provided below.
Although we don't know what would happen if a victim called this number, there are two possibilities. Attackers try to persuade victims to divulge sensitive information (for example, PayPal login details or credit card information) or “cancel” the pending Dogecoin order and go about their day.
In the latter scenario, the attackers walk away with the victim's phone number, which can then be used to mount a more serious attack.
"A single successful attack can result in dozens more," the researchers said.
Investigators found that the phone number in the email is in Hawaii, but it is most likely just a routing number and the real people in the threat are located somewhere else.
Big companies like PayPal or Microsoft are often duped by threat actors trying to scam people. To stay safe, it's important to always double-check the sender's email address, make sure the email doesn't contain suspicious typos or spelling errors, and don't click on any links or download attachments.
The attachments are most likely viruses (opens in a new tab) or other forms of malware (opens in a new tab).
Most of the big companies have instant messaging customer support as well as social media accounts, which can be used to check if they actually sent the email or not.
Via: Tom's Guide (Opens in a new tab)