Scams and associated fraud seem to be forever rising, with the ONS recording 3.8 million incidents of fraud in the UK between 2017 and 2018.
A study by Age UK found that an individual in the UK is three times more likely to suffer fraud than a robbery and burglary. Over 800,000 victims above the age of 65 are targeted by fraudsters each year, including 49,000 successful attempts between 2018 and 2019.
If you’re looking for general strategies to protect yourself from data theft and cybercrime online, then visit our guide here.
Amongst the various techniques utilised by cybercriminals to gain access to personal and financial details is phishing. Phishing is when a fraudster impersonates or misrepresents trusted brands, businesses or individuals to access personal information. PayPal is a frequent target of phishers.
In fact, PayPal is the ‘most spoofed’ brand on the planet, according to WeLiveSecurity.
Hackers probably target PayPal due to how ubiquitous and widely known it is. There’s a solid chance that the recipient will indeed own a PayPal account, which is the first step in launching a successful phishing attempt.
The object of phishing is to convince the victim to give away their details. These details are then used to access their account and steal their money or identity.
Phishing is a deliberately chosen homophone of fishing.
The word 'phishing' was coined in 1996 by hackers aiming to steal America Online accounts (now AOL). By sending out email ‘lures’ or ‘bait’ to the ‘sea’ of internet users, hackers hoped that at least some would take the bait.
These email lures would include fake lottery wins, which are still a popular ‘lure' today, as well as fake fraud alerts, falsely represented charities and other fake authorities.
Phishing today is the same as it ever was in principle. Millions of people receive phishing messages in their email inbox or phone every single day, and inevitably, a small percentage of victims are caught out.
Today, phishing scams have become far more sophisticated. Hackers can create fake messages and emails that look and behave like the ‘real thing’.
Smishing is sometimes used to describe SMS-based phishing, which is the type of PayPal scam we’re discussing here. Smishing involves the receipt of an SMS text message which contains a spoof link and ‘call to action’, like ‘click here to resolve fraud on your account’.
Vishing is phishing via voice message or answerphone. An automated system will be used to make random automated voice calls to numbers. It may leave a message if the recipient doesn't pick up the phone.
An example of a vishing message given by PayPal is:
"This is PayPal calling about a possible fraudulent transaction on your account. Please enter your password now to hear the transaction details. We need your immediate response to block this transaction.
What is the PayPal text scam?
PayPal, the ubiquitous payments provider that used to be strongly associated with eBay, is an ideal platform for phishers.
The PayPal text scam involves receiving a text message masquerading as PayPal.
SMS phishing scams are widespread, seeing as SMS is the lowest common denominator amongst phone users worldwide.
These messages usually feature some sort of alarmist tagline and request. It’s common for fraudsters to elicit some kind of immediate reaction from their victim, prompting them to act quickly before they reflect or realise what they’ve done.
One of the most common subject/taglines is something along the lines of:
“Immediate Action Required: Your PayPal Account Has Been Compromised.”
Familiar to anyone? These sorts of alarmist messages crop up a lot in phishing scams online. The general idea is to make the recipient feel anxious and compel them to act immediately. This can be pretty effective if the message catches us off guard. Then there’s the lingering feeling that it could indeed be legitimate.
Other possible subject lines include:
"You have received an online payment. Click here to update your details so we can credit your account."
“You have a gift voucher that is about to expire. Log in to use it."
"We need to talk about your account. Please sign in and contact us immediately."
“We need a few more details to verify your account. Your account will be closed if you fail to do this within 24 hours.”
PayPal gives the following two example texts. The currency and phone number will likely be tailored to the UK if the recipient has a +44 prefix.
"Your PayPal account has been suspended due to suspicious activity. Please contact us immediately at 0123-4567. We must speak to you immediately."
“PayPal: You spent $1,293.17 USD with PayPal . If you did not make this transaction, please call us immediately at 0123-4567. Thank You."
What happens next?
There will be a link or number embedded in the message. The link may look quite similar to PayPal’s genuine link.
Upon clicking the link, you’ll likely be taken through to a page that looks highly similar, if not identical, to PayPal. Once you begin to type your details, you won’t need to even insert your password and press ‘enter’ for hackers to download anything you've typed. They can download characters automatically as you type.
You might decide not to go through with it, but it may be too late by that stage.
You may be prompted to insert all manner of details ranging from your email and password to address, phone number, and answers to any security questions.
This will enable hackers to take over your entire PayPal account and will probably enable them to access other accounts or even make accounts in your name. There’ve been cases where hackers have used people's details to take out large loans or mortgages or commit serious financial crimes or other offences.
Phishing is often used as part of other cybercrimes, such as this woman who faced bankruptcy after being targeted by a dating site scam.
Once the victim has finished entering their details, the phishing scam will usually ‘bounce’ them back to PayPal’s genuine site.
This is quite simple to do and helps ensure that the victim doesn’t take further action, reassuring them that the interaction was legitimate.
Why are phones more dangerous than web browsers when it comes to phishing scams?
Security firm Sophos raised a great point about why phones pose a greater risk than internet browsers when it comes to phishing scams.
Firstly, most of us are more familiar with how web pages look on our computers. This may be particularly relevant to older individuals who have been using computers for much longer than smartphones.
When a webpage loads on a phone, we expect it to look different to how it might look on a PC or laptop. The mobile version of a web page is compressed, and it can be hard to verify the small details and features that tell our brain 'this looks legit'.
Moreover, mobile sites often have what is known as 'truncated' URLs. This means that you only get to see the left-hand part of a web link, e.g. PayPal(dot)com/login and not the rest, which will probably feature unfamiliar numbers and letters.
There’s also something in the way we interact with phones on a behavioural level, too. So much of what we do on our devices is automatic, almost subconscious sometimes, and that makes it easier for hackers to catch us with our guards down.
What do I do if I receive a fraudulent PayPal text message?
First and foremost, it’s best if you don’t click on the link at all.
Here are five steps to identifying a phishing scam or spoof message:
1) Examine the content for errors
Spoof messages and phishing scams usually feature impeccable spelling and grammar, but this is not guaranteed. Small mistakes or nuances in the way the text is written may give the game away.
2) Examine the link
The link is usually a solid giveaway of a spoof website, but it can sometimes be hard to tell.
For the link to be legit, every single character and letter should be exactly written as it is here (with "https://" and not "http://"). Any deviation from this link should be treated with caution. Even if the URL looks like it is above, complete the following steps first.
3) Check for the padlock
Securely encrypted sites should have a (typically green) padlock on the left-hand side of the URL bar. You can click on this to discover information about the site’s security certificate.
PayPal says, "The Green EV SSL secure logo is present in the web address bar. This looks like a green lock and identifies the site as owned by PayPal, Inc.”
4) Log on to your PayPal from a separate device
Log in to your PayPal account from a separate device to check for any sort of warning message, alert or notification. If there is a genuine issue with your account, this should pop up as a notification and will be visible in your PayPal Messages or Alert Centre.
5) Log on to your email from a separate device
You should also check your email account for emails from PayPal. If there is a genuine problem with your account, PayPal is more likely to email you rather than text you. If you have no email or messages in your PayPal account, it's safe to assume that the text is a phishing scam.
The next thing to do is to report it to PayPal and Action Fraud.
Reporting PayPal phishing scams
You can alert PayPal of spoofed fake messages via the email address email@example.com. PayPal vow to attempt to shut down phishing scammers, blacklisting their methods of communication to prevent future fraud attempts from that source.
You can also report the phishing attempt to Action Fraud on 0300 123 2040.
Alert friends and relatives by screenshotting the message and spreading it around.
What if I already entered my details?
If you received a phishing message from PayPal or anyone else and proceeded to enter your details, don't panic. The first thing to do is change your PayPal password as soon as you can.
Once you’ve changed your password, contact PayPal to report a fraud on your account.
You can also alert any bank you have connected to the PayPal account who will be able to put a hold on your bank account and card.
How to spot a PayPal text scam
Text messages from PayPal should always be treated with suspicion.
Any alert you receive via text you should also receive via email. You should also be able to view alerts when you sign in to your PayPal account.
Phishing is prevalent throughout the world, but it’s possible to reduce the risk of fraud via phishing to nil with vigilance. Never hesitate but to contact PayPal, Action Fraud or your bank if you have any suspicion that your accounts have been hacked or compromised.