A PayPal text message phishing campaign was discovered that attempts to steal your account credentials and other sensitive information. This form of phishing attack, through text messages, is called Smishing. Hackers send malicious texts or SMS messages tricking someone into giving them sensitive information. Smishing can be more effective than phishing because people are more trusting of text messages than emails. A campaign monitor study showed 98% of text messages are responded to within 90 seconds whereas only 20% of emails are responded to within 90 minutes. Most people are concerned and aware of the dangers of links in emails but may not be as aware of the dangers involved with links in text messages.
When PayPal suspects fraudulent activity on your account, they set your account status to ‘limited’, temporarily restricting transactions. A new smishing campaign pretends to be from PayPal, stating that your account has been permanently ‘limited’ unless you verify your account by clicking on a link received in a text message and entering sensitive information. Clicking on the embedded link will bring you to a phishing page that prompts you to log in to your PayPal account, as shown below.
If you enter your credentials on the fake web page, the data will be recorded and sent directly to the hackers. The smishing attack goes a step further as it tries to collect additional details from users including your name, date of birth, address, bank details, and other personal information. The data that’s collected by these hackers in attacks like these can be used against you in the form of Identity Theft, potentially resulting in significant financial loss.
First, if you received an attack like this and accidentally logged into your PayPal account or provided other information, you don’t need to worry because you have two-factor authentication enabled right? If you aren’t yet using 2FA, then go change your password and enable 2FA on your account.
The password or passphrase you choose should be 14+ characters long, unique to each site, and stored for use in a password manager. If you haven’t received attacks like this it’s critical you are aware of these threats and avoid them.
In general, you don’t want to reply to text messages from people you don’t know. That’s the best way to remain safe. This is especially true when the text comes from a phone number that doesn’t look like a phone number, such as “5000”, or “452-981” number. This is a sign that the text message is actually just an email sent to a phone. You should exercise the following precautions when reading SMS text messages on your phone:
Almost all of the text messages you get are going to be totally fine. But it only takes one bad one to compromise your data and security. With just a little bit of common sense and caution, you can make sure that you don’t become a victim of smishing.
Not only should you follow the previous Smishing security recommendations, there are other ways. CyberHoot recommends to help stay secure in your day to day lives online:
Source: BleepingComputer, Smishing – CyberHoot Term
Additional Reading: Smishing, The New Phishing
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
A recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...
Read moreA newly uncovered cyberattack campaign is exploiting Zoom’s Remote Control feature to infiltrate the systems...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.