#Privacy: New PayPal phishing scam attempts to steal a spectrum of personal data

Security researchers have uncovered a new phishing campaign that aims to steal as much personal data as possible. 

The campaign starts with a phishing email informing the victim that their PayPal account has been locked due to their account being logged into from an unrecognised browser or device. 

In order to verify their identity, victims are urged to click on the button “Secure and update my account now!” Upon clicking the button, victims are redirected to a phishing page which looks like the genuine PayPal login screen.

After logging in, a form is displayed asking for a vast amount of personal data including their full name, phone number, full credit card details including their CSC security number.

In addition, the victim is asked to upload their ID, Social Security number (SSN) or passport, in order to authenticate their identity. There is no confirmation after any uploads, thus victims may end up uploading more documents thinking that their previous attempts were invalid. 

Whilst the initial email sender displays the name “Support,” when looking at the email address, it is clear that it is not legitimate. 

Jan Kopriva, with the Computer Security Incident Response team at ALEF NULA, stated that despite reporting the phishing to PayPal, the malicious domains are still up and running. 

“Over the years, phishing authors seem to have learned that once they hook a phish, they should try to get all the information they can from them. This is the reason why many current campaigns don’t stop after getting the usual credit card information, but go further,” said Kopiva. 


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/