PayPal SMS Identity Theft

Hacker Exposes High-Security Bug to PayPal

PayPal – one of the most frequently used applications for money transfer and other online payments across the globe was recently hit by a text/SMS phishing scam. In the era of Emails and Social Media, attackers never miss a chance to utilize the traditional mediums of communication, especially SMS which are used by banks and user centric applications as the primary medium of communication for verification and validation of its users. In the case of PayPal, attackers manipulated text/SMS service to dupe the users.

The attackers leveraged the use of two fake PayPal websites. They certainly cannot use the original domain name for the website that is PayPal dot com but can easily use subdomains like PayPal dot in order to mislead users and pull out personal information from them. Naked Security mentioned in its report that both the websites were registered just a day or two before the phishing messages showed up. Both the sites seemed legitimate and not easily distinguished by the users.

Attack Scenario

The SMS states – “PayPal: Due to a recent failed payment request your account has been restricted” OR “We have detected unusual activity on your account”

The above text/SMS are followed by HTTPS links that direct users to fake websites. Though these websites contain HTTPS specifying a secure connection, they are bogus and belong to attackers. Once the user clicks on the phishing link provided, it takes him/her to a fake PayPal login page to fetch the user credentials, thereafter, prompts the user to fill personal information which includes Full Name, Date of birth, Address, phone number and finally the debit/credit card information.


  • Users should avoid clicking any links from the mails/SMS and should open the original website from the browser.
  • Always check the URL for the website provided in the mail/SMS.
  • Always read each text/mail from Banks and other information sensitive organizations carefully before taking any further action.
  • Never give your personal and payment information right away, always check with the respective company’s customer care service and designated authority.


Contacting LIFARS is Your Next (First?) Step for Handling Cyber Incidents