Login
PayPal recently notified thousands of its customers that their accounts were breached by hackers, leaving their Social Security Numbers and other key pieces of personal information exposed as a result.
Sources report, that the attack involved “credential stuffing,” where hackers gather lists of usernames and passwords sourced from the dark web or from data breaches—and then “stuff” those credentials into login systems, giving them access to those accounts.
This form of attack is particularly dangerous for people who re-use passwords across their accounts, as hackers can steal a password from one account and use it to access others.
It is reported that PayPal notified users affected by this attack on January 18th with an email since made available online. The email states that,
“Based on PayPal’s investigation to date, we believe that this unauthorized activity occurred between December 6, 2022, and December 8, 2022, when we eliminated access for unauthorized third parties. During this time, the unauthorized third parties were able to view, and potentially acquire, some personal information for certain PayPal users.”
PayPal further detailed the information exposed (emphasis ours):
The personal information that was exposed could have included your name, address, Social Security number, individual tax identification number, and/or date of birth.
The email went on to say that PayPal reset the passwords of the affected accounts and will require affected users to establish a new password the next time they log in to their accounts.
It takes time for companies to discover breaches and other illegal activities on their networks. The activity may have occurred days, weeks, or even months before it was discovered. Thereafter, it takes yet more time for companies to investigate the attack, determine the method of entry, what was affected, and to what extent—not to mention update their security measures as needed.
In the case of PayPal, the company stated that the attacks occurred between December 6th and 8th of 2022, and the notification sent to affected customers was dated January 18th.
This is typical of such attacks. Time passes before victims get notified. And yet more victims may be identified as investigations continue, leaving hackers with a relatively large window of opportunity to do harm.
Given the nature of the PayPal attack, there are a few steps you can take to protect yourself in its aftermath, which involves a combination of preventative steps and some monitoring on your part.
Given that passwords were involved, changing your PayPal password is a must. (As stated, PayPal will require you to do so.) And if you re-use passwords or similar passwords across accounts, changing them is a must as well.
Strong and unique passwords are best, which means never reusing your passwords across different sites and platforms. Using a password manager will help you keep on top of it all, while also storing your passwords securely. Moreover, changing your passwords regularly may make a stolen password worthless because it’s out of date by the time a hacker attempts to use it.
While a strong and unique password is a good first line of defense, enabling two-factor authentication across your accounts will help your cause by providing an added layer of security. It’s increasingly common to see nowadays, where banks and all manner of online services will only allow access to your accounts after you’ve provided a one-time passcode sent to your email or smartphone.
PayPal offers two-factor authentication as an option, and you can enable it by logging into your account settings and then clicking on the “Security” tab.
Per PayPal’s customer email, contact their customer service for assistance if you spot any unusual activity on your account.
If you spot unusual or unfamiliar transactions on your bank or credit card statements, follow up immediately. That could indicate improper use. In general, banks, credit card companies, and many businesses have countermeasures to deal with fraud, along with customer support teams that can help you file a claim if needed.
Given number the accounts you might have, a credit monitoring service can help. McAfee’s credit monitoring service can help you keep an eye on changes to your credit score, report, and accounts with timely notifications and provide guidance so you can take action to tackle identity theft.
With some personal information in hand, bad actors may seek out more. They may follow up a high-profile attack with rounds of phishing attacks that direct you to bogus sites designed to steal your personal information—either by tricking you into providing it or by stealing it without your knowledge. So as it’s always wise to keep a skeptical eye open for unsolicited messages that ask you for information in some form or other, often in ways that urge or pressure you into acting.
If you are contacted by PayPal, make certain the communication is legitimate. Bad actors may pose as PayPal to steal personal information. Do not click on links sent in emails, texts, or messages. Instead, go straight to the PayPal website or contact them by phone directly.
An identity monitoring service can monitor everything from email addresses to IDs and phone numbers for signs of breaches so you can take action to secure your accounts before they’re used for identity theft. Personal information harvested from data breaches can end up on dark web marketplaces where it’s bought by other bad actors so they can launch their own attacks. McAfee’s monitors the dark web for your personal info and provides early alerts if your data is found on there, an average of 10 months ahead of similar services. We also provide guidance to help you act if your information is found.
When personal information gets released, there’s a chance that a hacker, scammer, or thief will put it to use. This may include committing fraud, where they draw funds from existing accounts, and theft, where they create new accounts in a victim’s name.
Another step that customers can take is to place a credit freeze on their credit reports with the major credit agencies. This will help prevent bad actors from opening new lines of credit or take out loans in a victim’s name by “freezing” their credit report so that potential creditors cannot pull it for reference.
McAfee+ plans give you guidance on how to place a full security freeze, stopping lenders and other companies from seeing your credit file. This halts the application process for loans, credit cards, utilities, new bank accounts, and more. A security freeze won’t affect your credit score.
A complete suite of online protection software can offer layers of extra security. In addition to more private and secure time online with a VPN, identity monitoring, and password management, it includes web browser protection that can block malicious and suspicious links that could lead you down the road to malware or a phishing scam—which antivirus protection can’t do alone.
Additionally, we offer $1 million in identity theft coverage and restoration support from a licensed recovery pro who can help you repair your identity and credit if you find yourself a victim.
Your Social Security or tax ID number is one of the most precious pieces of personal information you have. With them, an identity thief can open new accounts or lines of credit in your name, not to mention gain employment, claim insurance benefits, or even commit crimes in your name.
PayPal stated that victims may have had Social Security or tax ID number exposed. If you believe this occurred to you, file a report with the Federal Trade Commission (FTC), which handles such cases. From there, they will provide you with a set of next steps.
Not all data breaches make the news. Businesses and organizations, large and small, have all fallen victim to them, and with regularity. The measures you can take here are measures you can take even if you don’t believe you were caught up in the PayPal breach.
Data breaches typically make the news when it affects a large company and generally only after they discover and release word of it. This means you might not hear about a breach until weeks or even months after your stolen info has been in circulation on the dark web. The measures you can take here can mitigate the damage of such attacks, even if you don’t think you were caught up in a specific breach.
However, you have every reason to act now rather than wait for additional news. Staying on top of our credit and identity has always been important, but given all the devices, apps, and accounts we keep these days leaves us more exposed than ever, making protecting ourselves a must.
The post The PayPal Breach – Who Was Affected and How You Can Protect Yourself appeared first on McAfee Blog.
Payment applications make splitting restaurant bills, taxi fares, and household expenses so much easier. Without having to tally totals at the table or fumble with crumpled bills, you and your companions can spend less stress and more time on the fun at hand.
There are various payment apps available, and the company that may first come to mind is PayPal. PayPal is regarded as a safe platform where security and strong encryption are a priority; however, a recent and advanced phishing scam is putting PayPal users at risk of giving up large sums of money and their personally identifiable information (PII).1
Let’s look at this “triple-pronged” PayPal phishing scam and review some tips to help you identify and proceed should you encounter it.
The typical part of this three-sided scam is the phishing email component. According to one source, the phishing email comes from a legitimate-looking PayPal service email address. Luckily, the typos, odd punctuation, extra spaces, and grammar errors in the body of the email give away that it is a phishing attempt. Remember, phishing emails are often worded poorly or have errors. Large companies, especially ones like PayPal, have teams of content experts vetting all automated messages for such mistakes, so several mistakes in an email should set off your alarm bells. Proceed with caution and do not click on any links in the message.
The email also included wording that encouraged the user to act quickly or be charged a lot of money. That’s another trademark of phishing emails: urgency. Take a deep breath and make sure to reread carefully all emails that “require” a quick response. Don’t be scared by dire consequences. Phishers rely on people to rush and not give themselves time to listen to their better judgement.
The PayPal phishing email included a support phone number that claimed it was toll free. In actuality, it was an international phone number. So, if the recipient of the phishing email didn’t quite believe the message but wanted to follow up, the scam could catch them with what’s called a one-ring phone scam.2 This occurs when someone unknowingly calls an international phone number and then gets charged by their phone company for the long-distance call.
The best way to avoid one-ring phone scams is to never call a number you don’t recognize. Always go to an organization’s official website to find their contact information.
The third dimension of this PayPal scam was the international phone number in the phishing email connected the caller directly with the scammer who posed as the PayPal fraud department. The “customer service representative” then asked prying personal and financial questions to glean enough PII to break into a PayPal account or compromise the caller’s identity. This is the most damaging part of the scam. An excellent customer support team may be able to reimburse you your lost money; however, once your personal details are in nefarious hands, you can’t take them back.
In addition to never calling numbers you haven’t verified, never give out passwords and never give out more personal information than you need to. Even in legitimate customer service calls, it’s not rude to ask why the representative requires the information they’re asking for. In a fake call, questions like that may fluster the scammer, so keep an ear tuned to their tone.
Overall, our best advice for handling suspicious emails is to delete them. If it’s truly important, the sender will contact you again. And if a thief somehow stole money from one of your payment apps, the customer service team should be able to walk you through the steps to recover it.
The transfer and handling of large sums of money would make anyone nervous. To give you peace of mind, consider partnering with a service that can help you recover should you ever fall for a scheme and compromise your PII. McAfee+ Ultimate helps you live your best life in private, and the service includes credit monitoring with all three credit bureaus, security freeze, and expert online support to help you navigate any scams you encounter.
Having McAfee+ can protect you from email phishing scams like this. Here are some of the top agencies to report this scam to, if it happens to you: Paypal Fraud Department, Federal Trade Commision , Cybersecurity & Infrastructure Security Agency USA.gov IC3
“Report it. Forward phishing emails to reportphishing@apwg.org (an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies). Let the company or person that was impersonated know about the phishing scheme.” – FTC.gov
1ZDNET, “Watch out for this triple-pronged PayPal phishing and fraud scam.”
2Federal Communications Commission, “‘One Ring’ Phone Scam.”
The post A PayPal Email Scam Is Making the Rounds: Here’s How to Identify and Avoid It appeared first on McAfee Blog.
Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.
KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”
A copy of the phishing message included in the PayPal.com invoice.
While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.
Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.
Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:
“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”
Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:
The phony PayPal invoice, which was sent and hosted by PayPal.com.
The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.
I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.
PayPal said in a written statement that phishing attempts are common and can take many forms.
“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”
It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.
Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?
The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.
FreshRSS 