Y0ur P@ssw0rd S*cks is a bi-weekly column that answers the most pressing internet security questions web_crawlr readers have to make sure they can navigate the ‘net safely. If you want to get this column a day before we publish it, subscribe to web_crawlr, where you’ll get the daily scoop of internet culture delivered straight to your inbox.
Welcome again to Your Password Sucks, the Daily Dot newsletter that answers all your internet security-related questions.
Today, we’re here to warn you about a new phishing attack tricking people online into downloading malware.
But this isn’t just any scam.
The attackers are carrying it out with what appears to be PayPal’s official email address, making it highly convincing.
Here’s what to look out for.
New PayPal email scam
The scam starts with an email from service@paypal.com that claims a new mailing address has been added to your account, even though one hasn’t.
The email also claims that a purchase has been made for an expensive item, usually a MacBook, and that it will be sent to the updated mailing address, making it appear as if your account was hacked and used by someone else.
You will further be told in the email that if you “did not authorize this update,” you should immediately call PayPal at a toll-free number listed in the message.
For note: The vast majority of tech companies will never ask you to call them. Anytime an email asks you to, immediately go to the company’s official website and reach out to their support team to relay your suspicions.
If you call the number, a scammer will ask you to download software to fix the hack. While many savvy internet users might catch on at this point, others might not, especially given the legit appearing email address.
If you were to download the software from the fraudulent PayPal support, it would unleash malware on your computer that could steal everything from personal to financial information.
How does the scam work?
So how exactly does this scam work? Or more specifically, how are they using what looks to be an official PayPal email address?
According to Bleeping Computer, it turns out you can add multiple home addresses to your PayPal account. The scammers were simply typing their message about a fraudulent purchase in the “Address 2 field” on their own account where you add an apartment number, for example.
From there, they forward the legitimate message from PayPal about the new mailing address to a second email address that automatically sends anything it receives out to recipients on a giant mailing list. In other words, their targets.
Hopefully that makes sense! Most importantly, it shows that emails coming from a company’s official address could be deceptive.
If it feels funny, trust your instincts.
