During this time of the year, holiday shopping can mean it’s harder for people to keep track of their online transactions and accounts - a disordered state of being that criminals are taking advantage of through phishing campaigns that target popular payment and ecommerce websites.
PayPal Phishing Campaign
A new phishing campaign has been recently found to target consumers via PayPal. The PayPal phishing email plays on the emotions of targets, creating a false sense of urgency by claiming that your recent transaction cannot be verified, as reported by MalwareBytes.
The email message claims to confirm that the user has changed their password, and that they notice some changes to their selling activities that will require information verification. Once a user clicks on the link, they're led to a spoofed PayPal website, titled "Resolution Center" that asks for personal information, credit card numbers and extensive banking information.
The scam goes even further, asking the user to upload documents to verify their identity, including a passport, identity card or driver’s license, according to HackRead. If you’re giving that much information away, it’ll be much harder to detect identity fraud right away - compared to a stolen credit card number, which can be potentially flagged and stopped by your bank.
If you're on Chrome, Google has already flagged the fake login link used in this scam as a potentially dangerous site. Check the browser address bar for the verified green signature (lock icon) to ensure the page is legitimate.
PayPal provides information on phishing and suspicious emails, and a way for people to report suspected fraud on their website.
Amazon Phishing Campaign
In November, the Better Business Bureau reported on a phishing scam that impersonated Amazon.com. The message claimed that they could not confirm the address associated with your Amazon account.
The message also stated that Amazon had disabled login access, and required action from the user to verify account information and re-enable access to their account - urging the user to click on the link in the email, which doesn’t lead to Amazon.com but rather a third-party site that could be hosting malware.
Amazon provides a security and privacy page on identifying emails or webpages from Amazon, as well as providing an email address to report suspicious URLs or emails - firstname.lastname@example.org. Check out the page linked above for instructions on how to do so.
Yet, another Amazon phishing scam as reported on Twitter was spotted urging customers to call into tech support:
Interesting #phish. There is no malicious link or attachment, just a lure to get victim to call the phone number, which is really a tech support scam. Perfect time to pretend to be Amazon. Also, all domains used were legit, making it harder to detect. pic.twitter.com/vEUAfT3Phd— Lance Spitzner (@lspitzner) November 28, 2017
What to Look Out For
Slow down and pay attention to email messages to avoid clicking on or giving away sensitive information. Beware of any urgent calls to action related to your transactions or account information - this type of messaging plays on the reactive emotional response of a user to get information from them quickly.
Don’t click on links within the email - type the website URL into your address bar manually or use a search engine to locate the webpage. Check for https:// and a verified lock icon in your address bar (but don’t use this as the single indicator of security, as this doesn’t always mean 100% assurance, as new phishing tactics from this summer have found).
Protecting Against Account Breaches and Malware
Aside from what to look out for, you can proactively protect against account breaches caused by phishing attempts by turning on two-factor authentication (also sometimes referred to as ‘two-step verification,’ ‘multi-factor authentication’ or ‘2FA’ for short) for all of your online accounts, especially any tied to your financial or personal information.
A second factor of authentication (preferably via an authentication method that isn’t SMS-based, if that’s an option) can stop criminals from logging into your account remotely using only a stolen password. Check out How to Add Two-Factor Authentication to Your Amazon Account With Duo Mobile.
In addition to protecting against unauthorized logins from stolen passwords, you can potentially better protect your devices against malware infection caused by clicking on links and visiting malicious websites by keeping your software up to date - that means running operating system, browser, plugin and other application updates as soon as they’re available. The more up to date your system is, the less likely it is you will be compromised by malware that seeks out weaknesses in old software to exploit.