PayPal credential phishing with an even bigger hook
Credential phishing is a tried-and-true method for malicious actors to gain access to unsuspecting victims’ accounts. Scammers first create a sense of urgency with a phishing email to trick victims into clicking a link that takes them to a spoofed login page. If the victim fails to recognize the red flags of the malicious page and enters their login credentials, the deed is done. The scammer has the login information they need to access the account to make changes or uncover sensitive information, financial records and more.
However, with the increased adoption of multi-factor authentication, login credentials alone may not be enough for scammers to gain the access or information they’re after. Plus, if you don’t recognize the signs of a spoofed login page, there’s a good chance you won’t see the red flags when the page requests even more information. For these reasons, credential phishing is evolving into something even more dangerous.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Is your organization susceptible to phishing attacks? Find out today with a free Phishing Risk Test!
The emergence of multistep data entry attacks
Scammers are taking their phishing techniques to the next level by spoofing sophisticated account verification and recovery processes. These go beyond credential phishing to harvest billing addresses, social security numbers, account recovery information and even credit card numbers.
In a recent phishing attack, scammers built a multistep PayPal account verification process disguised as a security feature. The attack starts with a phishing email notifying the victim of unusual activity and the need to confirm their identity.
Image courtesy of welivesecurity
The victim is then taken to a spoofed PayPal login page that perfectly mimics PayPal’s legitimate login process. If a victim enters their credentials, the scammer attempts to gain access to the account. Even worse, if the victim continues through the account verification steps, the scammer can steal additional information without ever logging in to the account, tripping security alerts or getting stopped by multi-factor authentication.
After the spoofed login process, the victim is asked to verify their billing address, credit or debit card number and other information such as their mother’s maiden name. In this attack, the scammer steals as much information as the victim shares, whether they complete the entire spoofed account verification process or leave the page before completing each step.
Image courtesy of welivesecurity
If the victim completes the entire spoofed account verification process, they are shown a message congratulating them for restoring their account before being redirected to the legitimate PayPal website.
Image courtesy of welivesecurity
This allows the scammer to cover their tracks and avoid tipping the victim off to the attack.
Are multistep data entry attacks the new norm?
New multistep data entry attacks are discovered nearly every week. A common Netflix credential phishing attack that has been circulating for years was recently spotted with a new addition. Instead of capturing login credentials alone, this attack also asks for the victim’s billing address, social security number and birthday.
Image courtesy of mailguard
And like spoofed login pages, additional form steps are often designed with fake security indicators and company logos making it even harder for victims to detect the scam.
What does this mean for your organization?
While these examples target personal accounts, multistep data entry attacks are just as likely for employee logins and accounts used for your internal operations — and potentially more dangerous.
If you were to guess, how many employees at your organization re-use the same password for every account? This common security blunder could turn a single account breach into free access to your organization’s most sensitive data.
And with an entire portfolio of software solutions spread across your entire workforce (not to mention shadow IT), it's more important than ever for each employee to learn the skills to recognize and avoid every step of this attack.
Train your employees & test their skills
Security awareness and training is vital for virtually every employee at organizations of every size. By learning basic security best practices and keeping cybersecurity top-of-mind, your employees and coworkers can avoid and report attacks that slip past your technical controls.
You can also pair training with simulated phishing campaigns that replicate the attacks your workforce is most likely to face to test their ability to avoid attacks. Security awareness and training platforms such as Infosec IQ even have pre-built phishing templates and spoofed login pages for the PayPal and Netflix attacks outlined above to help you prepare employees for new and emerging attacks.
Phishing simulations & training
Interested in seeing Infosec IQ in action? Request a demo today!
In this Series
- PayPal credential phishing with an even bigger hook
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
