Researchers at SophosLabs have cautioned of a new phishing email that tries to deceive PayPal users into calling a particular phone number and disclosing their credit card information thereafter. The phishing email pretends to come from PayPal and asks recipients to call a phone number.
The email, which claims to be rooting from PayPal, says that the recipient’s account has been the subject of fraudulent activity. However, unlike normal phishing emails, there is no internet link or response address. Instead, the email urges the recipient to call a phone number and verify their details. When dialed, users are greeted by an automated voice saying:
“Welcome to account verification. Please type your 16 digit card number.”
Once the credit card details are entered, the scammer is free to steal the information for their own gain. If incorrect card details are entered, a request for re-entry is made, further enhancing the legitimacy of the fraudulent telephone number, which is still live.
Graham Cluley, senior technology consultant at Sophos said, “Users that type in their card information may think they’re verifying their PayPal account, but in actual fact, they’re handing their details over to cyber criminals on a plate. “Though it’s an American telephone number, the fact that PayPal is used globally means that anyone could potentially be tricked into making the call.”
“The normal way of spoofing is becoming less successful, and fraudsters are always having to look for new ways to do it,” said Sara Bettencourt, spokeswoman for PayPal.
Ron O’Brien, senior security analyst at Sophos, an Internet security company based in Lynnfield, Mass. , said, “When you introduce a second element of communication – that being the telephone – it makes it appear to be a more credible effort to confirm or verify information.”
“This scam attempt underlines a real problem for online companies in how they communicate with their customers. Many users are beginning to learn to not click on links in unsolicited emails, and only visit the legitimate websites run by their favourite brands, but how many would know whether a phone number for their website is genuine or not?,” maintained Cluley. “As hackers get smarter we are likely to see them increasingly not only set up fake websites, but ‘harvest’ messages from corporate switchboard systems to appear even more like the legitimate company.”