What are some common ploys targeting PayPal users? Here’s what you should watch out for when using the popular payment service.
PayPal is one of the key players in the field of online payment providers, operating as a payment processor for popular online marketplaces, auction websites, as well as other commercial sellers. Popular brands such as Microsoft, Google Play, PlayStation Store, and Ikea are among the vendors that offer payment through the platform.
With 361 million active registered users, who make around 40 payment transactions per active account over a 12-month period, it’s also hugely popular. However, its users are also often targeted by various cybercriminals and scammers looking to make a quick buck.
The usual suspects
For one thing, the payment solution is consistently among the most-spoofed brands used in various phishing attacks. Fake websites impersonating PayPal are a hugely popular tactic utilized by cybercriminals. For example, the attackers send a spam email alerting the recipients to unusual activity on their (purported) account, urging them to quickly secure it. The email includes an embedded link that redirects the potential victim to a copycat PayPal website.
Besides trying to trick victims into parting with the access credentials to their accounts, the cybercriminals may also try to hoodwink their targets into revealing their full names, addresses, credit or debit card data, and even access credentials to the victim’s bank account as well as their email logins. Needless to say, this combination of information could lead to identity theft, bank fraud, fraudulent purchases or bank accounts wiped clean.
Phishing campaigns, however, are just the tip of the scam iceberg. Cybercriminals have been observed issuing fake invoices masquerading as various charities or relief efforts. But the fake invoices come with a twist: the notification a potential victim receives does come from PayPal and the invoice does appear in the target’s PayPal dashboard. Reportedly, the company has started addressing the problem and removed reported fraudulent invoices.
Then there are also other usual suspects, such as lottery or prize-winning scams and advance fee fraud. In the case of the lottery scam, victims are notified that they won something and in order to claim it they’ll have to pay some kind of transaction fee. However, since they didn’t take part in a lottery, they couldn’t possibly have won anything – the only person cashing in on a prize would be the crook.
Advance fee scams are similar, but instead of winning a prize, the victim is supposedly the beneficiary of the will of a long lost relative or a wealthy businessman seeking redemption. These types of scams are commonly known as the Nigerian Prince scam or 419 scams and involve the victim wiring money to cover made-up legal and tax charges, bribes and so on, so that they can receive their “inheritance”, which of course they won’t.
How can I protect myself?
There are a range of measures you can take to secure your PayPal account, but the simplest and most obvious to start with is never to perform any kind of activities on the app while you’re connected to a public Wi-Fi network or a network you don’t trust. Cybercriminals often use unsecured public networks to infiltrate devices and attack data in transit.
You also shouldn’t underestimate the value of a good password, or rather the value of a strong passphrase, since it will be your first line of defense protecting you from potential attacks. While you’re trying to figure out a suitable password there are some common mistakes you should avoid such as recycling passwords, or storing them in plain text. If you want to avoid the hassle of creating a strong password from scratch, a password manager could come in handy.
For an extra layer of security, you should enable some form of two-factor authentication (2FA). PayPal offers the user two options. One is dubbed the PayPal Security Key, which basically is authentication over a text message using a one-time pin (OTP), with a unique one-off code generated for each login. The second option is connecting your account with a 2FA application, which you’ll have installed on your device. There are many 2FA offerings you can choose from, based on your needs.
If you’re using PayPal on your smartphone, you can also increase your security by locking your app using a four-to-eight-digit PIN code or even add a biometric lock in the form of a fingerprint. Last but not least, you should also have a full-featured security product installed on your device, which should protect you against most types of attacks. Some products even protect your payment and banking applications that provide an extra layer of security while you conduct financial operations.
PayPal remains one of the safer options for performing financial transactions. However, as with any platform handling financial operations, users must remain extra vigilant to avoid falling into various traps fraudsters may set up to trick them out of their hard-earned money. Applying proper cybersecurity best practices and using available cybersecurity tools can go a long way in protecting users from various scams and mishaps.
written by Amer Owaida, ESET We Live Security