PayPal Smishing Attack

A PayPal text message phishing campaign was discovered that attempts to steal your account credentials and other sensitive information. This form of phishing attack, through text messages, is called Smishing.  Hackers send malicious texts or SMS messages tricking someone into giving them sensitive information. Smishing can be more effective than phishing because people are more trusting of text messages than emails. A campaign monitor study showed 98% of text messages are responded to within 90 seconds whereas only 20% of emails are responded to within 90 minutes. Most people are concerned and aware of the dangers of links in emails but may not be as aware of the dangers involved with links in text messages.

The Attack

When PayPal suspects fraudulent activity on your account, they set your account status to ‘limited’, temporarily restricting transactions. A new smishing campaign pretends to be from PayPal, stating that your account has been permanently ‘limited’ unless you verify your account by clicking on a link received in a text message and entering sensitive information. Clicking on the embedded link will bring you to a phishing page that prompts you to log in to your PayPal account, as shown below.

If you enter your credentials on the fake web page, the data will be recorded and sent directly to the hackers. The smishing attack goes a step further as it tries to collect additional details from users including your name, date of birth, address, bank details, and other personal information. The data that’s collected by these hackers in attacks like these can be used against you in the form of Identity Theft, potentially resulting in significant financial loss. 

What Should You Do?

First, if you received an attack like this and accidentally logged into your PayPal account or provided other information, you don’t need to worry because you have two-factor authentication enabled right?  If you aren’t yet using 2FA, then go change your password and enable 2FA on your account.

The password or passphrase you choose should be 14+ characters long, unique to each site, and stored for use in a password manager. If you haven’t received attacks like this it’s critical you are aware of these threats and avoid them.

In general, you don’t want to reply to text messages from people you don’t know. That’s the best way to remain safe. This is especially true when the text comes from a phone number that doesn’t look like a phone number, such as “5000”, or “452-981” number. This is a sign that the text message is actually just an email sent to a phone. You should exercise the following precautions when reading SMS text messages on your phone:

• Don’t click on links you get on your phone unless you know the person they’re coming from. Even if you get a text message with a link from a friend, consider verifying they meant to send the link before clicking on it.
• One of the easiest protections to block these attacks outright, even if you accidentally give your credentials to a hacker, is to enable two-factor authentication on your PayPal and any other critical or financial accounts.
• Never install apps from text messages. Any apps you install on your device should come straight from the official app store. These programs have vigorous testing procedures to go through before they’re allowed in the marketplace. If you have any doubts about the safety of a text message, don’t even open it.
• If you receive a text message mentioning you should update settings or unsubscribe to a service that you haven’t signed up for, ignore the message. If you see any unauthorized charges on your credit card or debit card statement, take it up with your bank or credit card. They’ll be on your side.

Almost all of the text messages you get are going to be totally fine. But it only takes one bad one to compromise your data and security. With just a little bit of common sense and caution, you can make sure that you don’t become a victim of smishing.

Further Cybersecurity Recommendations

Not only should you follow the previous Smishing security recommendations, there are other ways.  CyberHoot recommends to help stay secure in your day to day lives online: 

• Train employees on cybersecurity basics, helping them become more aware of the threats they face when interacting online. (Phishing, Smishing, Social Engineering)
• Periodically Phish Test Employees (at least annually, but preferably quarterly or monthly)
• Be wary of public, unsecured WiFi (use a VPN if dealing with sensitive information)
• Guide employees with cybersecurity policies, following NIST Guidelines (WISP, Acceptable Use, Password Policy, etc.) 
• Employ a Password Manager, require it in your Password Policy, demand strong password hygiene in your employees and business 
• Enable Two-Factor Authentication wherever possible and especially on all Internet-facing services you use (O365, Salesforce, Finance apps. etc.)
• Work with your IT staff or third-party vendors to ensure your critical data is being encrypted at rest and in transit (ensure keys are strong and passwords long)
• Regularly back up critical data following the 3-2-1 methodology
• Use the principle of least privilege 
• Patch your systems regularly and triage critical vulnerabilities using a repeatable process with established timelines based upon threat levels
• Stay current with the always-changing cyber threats
• Consider hiring a virtual Chief Information Security Officer (vCISO)

To learn more about Smishing, watch this short 3 minute video:

Source: BleepingComputer, Smishing – CyberHoot Term

Additional Reading: Smishing, The New Phishing