Not open for further replies.


Community Manager
Staff member
Cybercriminals have started a campaign to harvest PayPal credentials and are delivering scammy emails to users, claiming that a payment to Apple Store Australia has been made from their account.

Anyone with an active PayPal account has received at least one fraudulent message claiming to come from the service and leading to fake log-in pages. Most of them are extremely easy to spot.
Fake email could fool most users
This time around, though, the crooks have turned on their social engineering skills to the max and devised an email that could be taken as an official communication by many users.

For someone who does not rely too much on PayPal for financial transactions, this message could make them think that a third party gained access to the funds and used them to buy goods. Alternatively, they may believe that the order was recorded to their account by mistake.

The subject line reads “Receipt for your payment to Apple Store Australia” and the body of the email consists of a fake invoice allegedly issued by Apple for purchasing a product for AUD 158 / EUR 108 / USD 136.

At the end of the digital invoice an option is offered to dispute the transaction, via a provided link, and stop the money from being delivered to Apple.

This is the classic layout for a phishing scam: trick the user into believing that something has gone wrong and make available the possibility to revert the situation.

In this case, apart from a genuine-looking invoice and original graphic objects from PayPal, the cybercriminals also provide an essential detail about the link for disputing the transaction: it is encrypted. Of course, saying so does not make it true.
Extra data is requested to steal PayPal accounts
By accessing the given link, the user lands on a fraudulent page that asks for the PayPal account log in credentials, where the option to cancel the order is offered. According to Hoax Slayer, a second page launches after hitting the button to stop the transaction; this one asks for details that allegedly verify the identity of the account owner.

Everything entered in the fields is automatically sent to the crooks. Unless two-factor authentication (2FA) is enabled, the email and password are sufficient for logging into the account.

However, cybercriminals know that some users may have this fraud defense turned on; the additional information required can also be used to bypass the security checks set up by PayPal to prevent unauthorized log-in, giving cybercriminals unfettered access to the account.

One clue of an email scam is the fact that the user is not addressed by name. In notifications to customers, PayPal always address them by the given first and last name.
Not open for further replies.