PAYPAL users are the latest targets of cyber crooks looking to make a quick buck using devious online scams.
According to security experts, fraudsters have found a way to send phishing emails using the services provided by finance apps.
The tactic helps them slip past defences erected by email providers and antivirus software to block nefarious messages.
Researchers at Avanan, a company owned by U.S. security behemoth CheckPoint, discovered the attack in June 2022.
In a blog post, they described how scammers used free PayPal accounts to “send malicious invoices and requests”.
Recipients of the requests may have assumed that the invoices were legitimate as they came from official PayPal domains.
They may then hand over their credentials or banking information to attackers, who quickly drain their coffers.
Avanan experts first discovered attackers employing the tactic using free accounts with accounting software provider QuickBook.
Last month, they uncovered a similar scheme that utilised free PayPal accounts to part people with their cash.
The campaign is particularly devious because the phishing emails are sent using PayPal’s tools and services.
Most read in Tech
That makes them less likely to be spotted as phoney by recipients and software designed to block scams from people’s inboxes.
“A hacker would create a free account in QuickBooks,” Avanan’s Jeremy Fuchs wrote in the blog post.
“They would create a spoofed invoice, either for Norton or Microsoft, and then send it to the user.
“Since it’s created in QuickBooks, the email comes across as legitimate. Email scanners see a legitimate QuickBooks domain.
“Since QuickBooks is on most Allow Lists as a legitimate site, the email passes right through.”
Phishing attacks lure victims to a website that appears to be operated by a trusted entity, such as a bank, social media platform or other service.
The website, however, is phoney with fake content designed to persuade a victim to enter sensitive information, like a password or email address.
Attackers behind the latest campaign changed invoice data to look legitimate, for instance by using names of legitimate companies.
They also added official logos and more to the phoney payment requests.
If you’re unsure whether an invoice is legitimate, contact the company who sent you the request to confirm.
Look up the correct phone number online rather than using anything provided in the message, as this may also be fake.
If you’re worried that you might have fallen for a financial scam, the first thing you should do is contact your bank.
You should then report it to ActionFraud. Their website is actionfraud.police.uk, and their phone number is 0300 123 2040.
Best Phone and Gadget tips and hacks
Looking for tips and hacks for your phone? Want to find those secret features within social media apps? We have you covered…
We pay for your stories! Do you have a story for The Sun Online Tech & Science team? Email us at [email protected]
This post first appeared on Thesun.co.uk