PayPal users are being advised to Tweet with caution following reports that scammers are tricking customers into giving up their bank details. According to a report by cybersecurity firm Proofpoint, PayPal customers are being targeted by fraudulent Twitter accounts posing as customer support staff and then directed toward malicious links that ask them to give up sensitive account info.
At least two accounts – which have now been suspended by Twitter – have been observed engaging in so-called angler phishing attacks, named after the deep-sea fish that uses a lure to capture prey. Angler phishing is a relatively new technique given rise by social media. In these attacks, a fraudulent account from a reputable company or service provider, usually posing as customer support, will target customers reaching out for help on Twitter.
These customers will then be lured to a malicious link where the attacker will attempt to trick them into giving up sensitive account or banking information. These accounts feign legitimacy by using convincing graphics and logos on their account and by including the word "ask" in their Twitter handle – a popular prefix for customer support accounts on social media.
"In each of these attempts, the customer is reaching out to the official PayPal Twitter account for support," read the Proofpoint report. "Since they are mentioning the official PayPal Twitter account through their proper handle, @PayPal, these tweets will show up on the official PayPal Twitter page. From there, the fraudulent PayPal Twitter accounts can monitor for opportunities to target customers that are expecting a response.
"In both of these cases, the fraudulent but realistic Twitter handle, landing page, and login screen create a convincing lure that can entice users to enter their PayPal credentials into the fraudulent page, providing scammers direct access to their accounts and any funds in them."
According to Proofpoint, financial services are the main focus of angler phishing attempts, making up more than 75% of all attacks. It added that PayPal was aware of the problem and is now working with Twitter to resolve it.
FYI, the official PayPal support account is @AskPayPal. If you do get contacted by an account that looks suspicious, report it to Twitter. If in doubt, a quick look at a company's Twitter page should be enough to tell you if it's legitimate or not. As always, you'll be safe so long as you use common sense and err on the side of caution.