PayPal users are being targeted by a phishing scam that goes beyond just trying to steal a user’s login credentials—it also asks the victims to take a selfie while holding credit cards and form of identification.
The attack, discovered by security research firm PhishMe, mark an evolution in the typical phishing attack—of which PayPal is a common target—by extending the attempt at data theft beyond just a username and password.
Like most phishing scams, the attempt begins with an email that appears to come from PayPal. It bears the company’s logo and details like the company’s address, but contains some telltale signs that the message is fraudulent—including a number of spelling and grammatical errors.
The message received reads as follows:
Our technical support and customer department has recently suspected activities in your account.
Therefore we have decided to temporarly suspend your account until investigating your recent activiies. Such things can happen if you clicked a suspecious link on social media or gave your password to someone else
We’re always concerned about our customers security so please help us recover your account by following the link below.
At the bottom of the message is a button that says “Let’s Get Going.” Clicking on it will deliver the user to a fake PayPal login screen, which has been designed to appear legitimate but has a domain name that is unrelated to PayPal in any way.
The login page will take the user’s credentials once entered, but the phishing scam doesn’t stop there. Another PayPal-branded page follows the login screen, this time asking the user to verify their account by entering their name, billing address and credit card number.
Once the user surrenders that information, they are directed to another supposed verification step that requires the user snap a selfie to confirm their identity.
The directions on the page tell the victim to hold their identification and credit card while taking the picture. The page includes sample photos that show a correct and incorrect way to take the selfie, with the correct way making sure the details of both the ID and the credit card are clearly visible in the photo.
After the user uploads the photo, they are redirected to the official PayPal login screen, where they can enter their username and password again and successfully login, making it seem as though the process they just completed was legitimate.
PhishMe’s security researchers recommended users to be vigilant when opening and interacting with emails that contain suspicious links or attachments—especially those that ask to validate information. Users are also advised to go directly to a website rather than follow an email link.
It’s also worth setting up two-step verification on PayPal, which will require an additional login code be entered before allowing a person to access an account. It won’t prevent the theft of credit cards or other personal information but will add a layer of protection in case a user’s password is compromised.