SMS messages, or “texts”, are old hat these days.
These days, most of us prefer services that don’t go through the mobile phone network, such as WhatsApp, WeChat, Facebook Messenger and Snapchat.
Nevertheless, SMS messages haven’t died out completely, not least because they’re a lowest common denominator that pretty much every mobile phone in the world can receive.
All you need is the recipient’s phone number.
As a result, SMS is still a popular choice for businesses that need or want to tell you something important without wondering which messaging app you prefer.
SMS messages are short and simple, with no room for “Dear Sir/Madam”, so people don’t expect to be greeted by name; there are usually few pleasantries or polite words; and there’s no need for fancy layout, icons, fonts or other typographical and artistic details.
As a result, crooks can create believable fakes, with no obvious mistakes, fairly easily.
Like these two reported by Naked Security readers recently:
The problem with phones
Both website names used in these text messages were registered just a day or two before the messages showed up, presumably for the sole purpose of these very phishing campaigns.
As we’ve warned before, a tricky problem with any web links you receive on your mobile phone is that it’s often harder to spot that a link is not what it seems.
Most of us use our phones in portrait mode, leaving much less screen space to display long URLs, with the result that you generally see the just left hand end of the web address, and not the right hand end.
Crooks almost certainly can’t get hold of a server name that ends with, say, paypal DOT com, but can create any number of subdomains that start with paypal DOT and end with some unrelated domain.
But the suspicious-looking right-hand end of a full domain name often ends up invisible on a mobile phone because it won’t fit in the address bar.
HTTPS doesn’t guarantee truth
As you can see above, both websites use HTTPS, which denotes secure HTTP.
Remember, however, that HTTPS vouches for the security of the network communication between your browser and the website at the other end. It doesn’t vouch for the honesty or accuracy of the information that gets served up to you.
Sure, a site without HTTPS is best avoided – anyone nearby on the internet can spy on what you are doing, because there’s no encryption.
But a site with HTTPS isn’t automatically trustworthy on that account alone.
After all, crooks can have valid driving licences or other government-issued ID, but those IDs only vouch for who they are, not for their honesty or trustworthiness.
Keep it simple!
If you click through, the phishing scam is uncomplicated and, at least at first sight, believable enough.
You’re first asked to log in to your PayPal account:
By this point, of course, the crooks are already ahead because you’ve just uploaded your password to their bogus site.
For a touch of reassurance, there’s a legitimate-looking visual delay before the crooks hit you with their next phishing page:
If you weren’t suspicious when the password page popped up, you should definitely be suspicious from this point on, given the amount of personal data being requested just to show you a transaction:
You definitely wouldn’t need to put in your credit card and bank details, as the crooks urge you to do on the next page:
End with the truth
If you do supply the crooks with everything they’re after, the crooks bump you across to the genuine PayPal home page.
That might not be exactly where you’d expect to end up, but it does make for a softer and more believable landing than if your browser just crashed, or popped up some sort of error you’d never seen before:
Another trick that the crooks used in this scam was to remember the IP number (the network identifier) that you just used to visit their fraudulent pages. (IP numbers don’t always pinpoint individual computers, but they usually identify households or business premises.)
If you click through to the scam again, at least within the next few hours, you won’t see the telltale signs of the scam the second time around – you’ll just end up redirected immediately to the final, real PayPal page shown above.
In other words, if you have second thoughts about what just happened, or if you ask a trusted friend or family member to investigate for you, things won’t look suspicious when you go back for a second look.
What to do?
- Avoid links in text messages. If you know you’ll be dealing with company X, such as PayPal, find out the right website and and go there yourself. Don’t rely on links texted to you, because those links can say whatever the sender wants.
- Check the URL in the address bar. Be especially careful on your mobile phone, where the address bar often doesn’t show much text from the URL you are visiting. Stop and take the time to scroll right – don’t blindly believe the text you see at the left-hand end.
- If you realise you just revealed your password to imposters, change it immediately. The crooks who run phishing sites typically try out stolen passwords immediately and automatically, so the sooner you act, the more likely you will beat them to it.
- Report compromised bank data at once. If you get as far entering any financial data before you realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your credit card so you get the right phone number – never reply using contact details from the original message.)
PS. Don’t forget that just typing data into a web form exposes it to crooks because they can “keylog” what you type into a webpage even if you never press the [Submit] or [Next] button.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Achilles Resolute
This is the first time I heard about Paypal scam. I never came across it before. I receive SMS from Paypal on a regular basis. From this time onwards I regularly check links in the messages and in the address bar. I will try to follow the do’s and dont’s that you mentioned in your blog. Thanks for sharing such an informative post.
KJ
I am getting text messages from someone claiming that my number used to be theirs and it is still linked to their paypal account, can I please help them out with this? The reason I know it’s a scam is because I have had this number going on 5 years now and if they are just now realizing this welllll I think they have bigger problems lol. Crazy thing is, they are also calling but I haven’t answered the call or the text.
Paul Ducklin
Good choice. If you reply then you are just giving them a bit more of a chance to wheedle you. I suppose you could report it to PayPal but I’m not sure what they can do about it.
Alex
What ever happened? Follow up please! :)
Lorraine Parkin
Thank you the information. I nearly got scammed with a text message saying about a recent payment being restricted. I got as far as when asked to put bank details in but stopped and became suspicious. Thank goodness I didn’t put them in
Jo
Thank you the information. I nearly got scammed with a text message saying about a recent payment being restricted. Realized that this was a potential scam message from +44 7[REDACTED]. so I blocked the number.
Jas
Just had a text from 07[REDACTED] claiming to be from paypal. Scam, of course!
Lacey
Fake PayPal number asked for bank card to verify. I had a claim for a fraud charge and was tryin to contact PayPal by phone PayPal customer service is actually shut down due to covid. I made the mistake thinking someone would help me. It was an man who sounded of like he was from India. Phone number I called today 7/15 was [REDACTED]. Do not call this number he said they would issue $600 to my account to go to the store to purchase a google card. I immediately knew after this was a scam. I did give him my debit card number like a fool and I contacted my back and reported my card as stolen. I was temporarily locked out of PayPal and deleted all accounts. I will not be using PayPal goin forward. Thank gosh my PayPal didn’t have my social security number listed.
The jar of eyeballs
Just got a text from a 5 digit sender saying (someone is) trying to charge my PayPal acct an exact amount just under $500. I haven’t used in years, have diff cards now anyway, but… is anyone else getting these alerts? The alert asks for a response of yes or no, whether it’s my doing. Data rates and charges may apply. Not in my case though because I used the delete key. Stay Vigilant, my dears!
Melody
Is there in any way shape or form to block those numbers?
This scam s**t is spamming my phone, and I don’t like it, it makes me so mad, and if I met that “crook” face to face, it wouldn’t be a happy ending for him.
If they have no money, then they need to work for it, not steal it!
They just as of today sent me two messages! Without even dear * insert name* and they wrote PayPal wrong…
I changed my password every 3 months… So how they got my number in the first place? I am desperate for a solution and I am so mad at them…. Help?
Anonymous
Hi Melody
I empathise. They generate their numbers from a random database. If you ever respond (just once) your number is then marked as positive. You can Block all incoming spam numbers each time, but that will only stop repeats of the same number. Your number has been sold on.
Report each event to Spamstoppers (7726). However your best solution is to change your mobile number and in future block and never respond to anything that looks remotely suspicious, including calls from numbers you don’t recognise.
Paul Ducklin
In case you were wondering (and to help you to remember it), the number 7726 comes out as S P A M on a mobile keypad :-)
John
A great piece explains well. I got a Scam text exactly as described – first clue it was from a UK “+44 749 number” which is a mobile phone. Not Paypal – so they are still using random numbers to catch people.
Good warning never to connect to the link. Also check your Paypal Account from a different device via your own link to check all is OK.
Paul Ducklin
TBH, I have had genuine SMSes from major American brands (e.g. for 2FA codes) from
a mixture of +1 numbers, +44 numbers and alphanumeric “shortcodes”. Modern internet telephony is a bit like using a cloud service – today you might talk to a computer in Southern California; tomorrow the service might be delivered from South Wales. (And texts inevitably do show up as coming from mobile numbers because SMS is specific to the mobile network.)
Wendy
I recieved the following text message…
Is this a fake scammers message? And if so … what should I do about it?
【PayPal】Dear Customers, some unsafe activity was reported on your account. For your safety, please in order to regain access to your account at [FAKE LINK REDACTED].
Paul Ducklin
Yes. It’s a scam. You can report it to PayPal if you like, and then delete it. Or just delete it. The message itself is harmless on its own… the link in the message is where the trouble really starts, because the link goes to a site that does not belong to PayPal – it’s an impostor page that looks quite a lot, but not exactly, like the PayPal Singapore login page. (At least it looked like PayPal Singapore when I investigated. Exactly what country flavour you see my depend on where you are when you click. But don’t click – it’s definitely a scam.)
As the article says, “If you know you’ll be dealing with company X, such as PayPal, find out the right website and and go there yourself. Don’t rely on links texted to you, because those links can say whatever the sender wants.”
Anonymous
Received a message from a mobile saying a new device just signed into my account and to follow a secure link to unlock it. Not done as my account has been closed anyway.
Anonymous
Just received SMS from [REDACTED SHORTCODE]: ‘PayPal: Thanks for checking out with PayPal. Reply “Y” to confirm we have the right mobile number for you. Msg & data rates may apply.’ PayPal account shows no activity so thus seems to be a phishing text
Phil
Just got a text message on my phone from “Paypal” claiming I had just made a purchase of $19.99 from Baby Zoxa. Since my young grandson was playing with my wife’s tablet, I though he had made this purchase. I clicked on the link, but when it opened I smelled a rat and closed it. Do you think I have a problem or did I bail out in time?
Paul Ducklin
If you got to a phoney password prompt but typed in *nothing* (or nothing that was part of any real personal info) then I would suggest that you did the right thing and you bailed in time. They’re phishing; if you sniff at the bait but don’t bite down on the hook, you should be fine.
The crooks rely on the fact that out of 1,000,000 people get the bogus message, 174 of them will probably in a position just like yours and so what seems totally silly to 999,826 people will be perfectly belivable to all the others.
Michael Boucher
I had one come through on my phone, might not be common but noticed the grammar was a just slightly off. It said “PayPal:Attention” With no space after the colon. Dead giveaway right there.
Ben
Received a message said that my paypal is in limited stage. need me to go to [REDACTED NON-PAYPAL LINK]
Paul Ducklin
Don’t do it, folks :-)
Anonymous
I just got phished in exactly this way because I’m an idiot. I did change my password and all my other passwords like it immediately upon realising the mistake I made, luckily I didn’t give any credit card details away. They may very well have my name, address, email and phone number though, so I’m very nervous as to what they could do with this information. If anybody has any idea or advice that would be greatly greatly appreciated. For now though, my accounts and money are safe, and hopefully it’ll stay that way.
Paul Ducklin
I suggest doubling down on caution when it comes to emails, texts and calls now, given that these crooks can now message you more belivably that simply “Hello” or “Dear Customer”. And keep an eye on those account statements, just in case.
Andrew
A link can easily have it’s name changed completely such as “click here” and can therefor take you anywhere and not where it implies. I received the paypal scam text on my phone a few minutes ago….but do not actually have a paypal account.
Pretty funny to me but just mentioning as this is still an active scam.
FCastillo
I am getting this paypal confirmation code that I haven’t asked for.
Paul Ducklin
Assuming that you have a PayPal account, and you have set up your own account to receive confirmation codes to the same phone number, I can think of two reasons for this:
1. Someone else setup up their account with your number (in theory, this could happen by mistake). You are receiving their codes, which are useless to you. Presumably this will stop when they correct the mistake, or close the account.
2. Someone has your password and has tried to login, thus causing an unexpected message to arrive on your phone. If this is what has happened then treat it as a warning and change your password.
Ashley Young
Is this message a scam from paypal – I didn’t use the persons real name or emal. (Persons name
Persons email)
Hello Ashley Young,
We at paypal service will want you to know you have a pending payment of $200.00 USD but we have a problem crediting your account with that amount because the status of your PayPal account is not a business user which makes your account has limit and this amount seems to be above your limit, and this will not make us credit your account until you expand your limit in order for your account to be credited.
Note : You have to take this urgent step to expand your Limit.
Contact the last payer of your account Persons name (persons email.com) to send in an additional payment of $550.00 USD so that your account limit can be expand to a business user, and as soon as this is done, we will have no problem crediting your account with the total sum of $800.00 USD . Plus $50.00 USD compensation fee from PayPal as included ..
Note: An alert has been sent to Persons name (persons email.com)in regard to the $550.00 USD additional payment he has to send to you, we will secure this transaction with high priority that neither the payer nor the payee will lose funds in this transaction.
Thank you for using PayPal!
The PayPal Team
Paul Ducklin
Yes, it’s a scam. (And it’s not actually from PayPal, of course. It just says it’s from PayPal.)