PayPal "New Address" Feature Exploited in Phishing Scam

Cybercriminals are exploiting PayPal’s address confirmation emails to trick users into believing their accounts were hacked. By sending legitimate-looking notifications about an unauthorized purchase and addition of a new address, scammers create panic and lure victims into calling a fake support number, where they attempt to gain remote access to the victim’s device.

Many PayPal users have reported receiving emails stating that a new shipping address was added to their accounts. These messages, sent from PayPal’s official email ([email protected]), also include a supposed purchase confirmation for a MacBook M4 Max, priced at $1,098.95. The email urges recipients to call a provided phone number if they did not authorize the transaction.

Despite appearing authentic, these emails are counterfeit. No actual changes are made to PayPal accounts, and in some cases, recipients do not even have a PayPal account linked to the email address that received the message. Because these emails originate from PayPal’s own servers and pass security checks, they easily evade spam filters and land in inboxes.

The scam is designed to create a sense of urgency. Victims who call the listed phone number hear an automated message claiming they have reached PayPal support. They are then connected to a scammer posing as a representative, who insists their account has been compromised. The cybercriminal urges them to download a remote access tool, claiming it will help secure the account.

Victims are directed to a deceitful website, where they must enter a service code. This triggers a download for remote desktop software such as ConnectWise ScreenConnect. If installed, scammers gain full access to the victim’s computer, enabling them to steal personal data, install malware, and access financial accounts.

This scam exploits PayPal’s "gift address" feature, which allows users to add additional shipping addresses to their profiles. Scammers insert the deceptive Macbook purchase message into the feature’s address field, which PayPal then automatically includes in its confirmation email.

From there, scammers leverage email forwarding tactics. The scam PayPal confirmation email is first sent to an address linked to the malicious actors, which then forwards them to a distribution list, targeting unsuspecting victims. To these users, it looks like they’ve received an email from the official PayPal address, that states an address change and purchase of a Macbook.

PayPal has yet to address this vulnerability. Until a fix is implemented, users should be cautious of unexpected PayPal emails, avoid calling any numbers provided in such messages, and verify account activity only through PayPal’s official website.

PayPal also faced issues in March 2023 when a lawsuit was filed against it on account of a data breach that exposed the personal information of about 35,000 users.