Whenever some phishing email bypasses my spam filter and makes it into my inbox, I’m quite sure that a more sophisticated phishing campaign is at work.

This is what happened the other day when I received this message, purportedly from PayPal.

This email has a number of variations. It can appear on your laptop or phone but the goal remains the same. It wants to trick you into giving the criminals behind the email as much information as possible, and, believe me, these people really want a lot of information. They may want to gather this information for their own money making activities or to simply sell it to others.
Now, at the outset, there are some tip offs as to the authenticity of the email. The criminals made no effort to spoof the PayPal URL. In other words, these emails seems to be widely distributed by bots that are just trying to fool enough people to make a profit. They are also using a legitimate URL from a site they’ve taken over in order to get past spam filters. In addition, there are a few grammar problems in the message, although they are not as severe as in some of these attacks.
So, let’s suppose that you follow the link to resolve the PayPal issue. You will be redirected to a login page that looks legitimate. However, notice the URL.

All the links on this page simply reboot the page. However, if you decide to log in, and, of course, in the process, give them your login credentials, you will be directed here.

They could have stopped with just getting your PayPal account; however, they probably figure they have a naïve fish on the line, so they take this even further by hoping you’ll give them your credit card information. The victim may look at the URL and only see the green padlock and figure they are safe. But, in fact, this just came with the site that they have taken over. Using an iframe attack, they’ve managed to completely hide the real site but use its credentials. Here is the actual site they’ve taken over. There are likely many more of these compromised sites used in similar attacks.

Now, you’d think that getting your credit card data would be enough, but not for these criminals. They want even more. So after filling out the last form, you’ll be redirected here.

I can only suppose that, with this additional information, the attackers can either register the victim’s card information for Visa Verification or take over the victim’s account. However, to get a verified visa card, you’d need to supply more information, such as a photograph. But don’t despair. If you give them the information they want, you will be led here.

Yes, that’s right. They want you to take a selfie of yourself with your driver’s license, or other ID, plus your credit card. Sure, most people may think this is going a bit far but, who knows, maybe they’ll go along with it. After all, they’ve gone this far. Besides, while you’re busy taking your selfie and uploading it to the criminals, they are probably draining your PayPal account. If you finish this last step, you’ll be redirected to the real PayPal website, that’s when you’ll find out if you still have an account or not.
This scam is similar to one that appeared in 2017. At that time, it was thought that the scam was used to set up cryptocurrency accounts. That’s still possible but, with this much information, there is very little that a hacker can’t do. Some time has passed since the exploit was used so the attackers may feel most victims would not have heard of such an attack.
There has recently been a surge in attacks using PayPal as the cover. Any messages that appear to come from PayPal should be viewed suspiciously. Check here to see the latest scams making the rounds. Always remember that just because a message makes it into your inbox doesn’t mean it is a legitimate communication.