Research from Dr. Carl Windsor with FortiGuard Labs reveals the emergence of a “phish-free PayPal phishing” scam. Targets of this scam receive emails that appear legitimate, mimicking a message from PayPal and prompting the target to fulfill a necessary payment. If the target clicks on the provided link, they will be redirected to a PayPal login page and prompted to enter their login credentials. 

Elad Luz, Head of Research at Oasis Security, offers his insight on this scam. He states, “Standard phishing methods typically require threat actors to craft and deliver emails to a wide audience. These methods are relatively easy for mailbox providers to detect and block, as they can be quickly identified by their origin and content.

“In this case, however, the threat actors exploit a vendor feature to deliver their messages. The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request. This makes them difficult for mailbox providers to distinguish from genuine communications, leaving PayPal as potentially the only entity capable of mitigating the issue.

“Furthermore, since PayPal operates as a payment platform, it directly facilitates the threat actor’s end goal.

“I recognize that there is likely a tradeoff between delaying transactions to allow more time for detecting fraudulent activity, maintaining customer satisfaction by processing payments promptly, and addressing the need to compensate affected customers.

“I trust PayPal will strike the right balance to address this challenge effectively.”