Phishers target panicking PayPal users with fake “failed transaction” emails

With the end-of-the-year holidays quickly approaching and many users worrying whether the gifts they bought online will be delivered in time for the festivities, an email from PayPal saying their transactions were impossible to verify or their payments were not processed will throw most users for a loop.

Phishers are counting on that, and are hoping that panicking users will be too distraught to notice that the email did not actually come from PayPal and that it didn’t address them by name:

PayPal holiday phishing

Those who fail to identify the email as fake and click on the button ostensibly taking them to the “Resolution Center” will be taken to a phishing site set up by the criminals.

There, through a series of pages, they will be asked to enter their PayPal login credentials, physical address, phone number, mother maiden’s name, date of birth, and payment card information (name, number, card number, expiration date, security code):

PayPal holiday phishing

The site ramps up the tension and urgency by enumerating all the things users can’t do while their account is limited.

As fakes go, this site is visually pretty convincing, but more knowledgeable users should look at the URL and find it suspicious. Unfortunately, there are still many users who will trust it, and enter the asked-for information.

Don’t fall for it

“It’s an especially sneaky tactic in the run up to December, as many people struggle to remember the who/what/when/where/why of their festive spending,” Malwarebytes’ Christopher Boyd notes.

“Scammers are banking on the holiday rush combined with the convenience of ‘click link, do thing’ to steal cash out from under your nose.”

He advises users to refrain from clicking on links in unsolicited emails, and to check this and similar claims by manually navigating to the website. If there’s a problem, it will come up once they log in (or fail to log in) to their account.