Active PayPal Phishing Scam Targets SSNs, Passport Photos

Phishing emails have been uncovered that request a full rundown of personal data – even asking for photos of passports.

A recently uncovered phishing campaign, targeting PayPal users, pulls out all the stops and asks victims for the complete spectrum of personal data – even going so far as to ask for social security numbers and uploaded photos of their passports.

The campaign starts with a fairly run-of-the-mill phishing email, purporting to be from the online payment company’s notifications center, which warns victims that their account has been limited because it was logged into from a new browser or device. The email recipient must verify his or her identity by clicking on a button, which is a address that then redirects the browser to an attacker-owned landing page, which asks for a complete rundown of personal data.

The ongoing campaign showcases “the current ‘let’s take all that we can get’ mentality of the attackers quite well,” Jan Kopriva, with the Computer Security Incident Response team at information tech company ALEF NULA, said in a Monday SANS ISC InfoSec Forum post. “Over the years, phishing authors seem to have learned that once they hook a phish, they should try to get all the information they can from them. This is the reason why many current campaigns don’t stop after getting the usual credit card information, but go further.”

Like other phishing campaigns, this particular scam comes with some major red flags. While the initial email sender shows up under the name “Support,” a closer look at the email address shows it is from [service53659(at)], rather than a legitimate PayPal email address. Some parts of the phishing email make strange use of exclamation points – For instance, the top of the email says “PayPal Notifications Center !” and the phishing link button reads, “Secure and update my account now !”

PayPal phishing Also, while the landing page pretends to be a legitimate PayPal login screen with the PayPal brand at the top, the phishing page (https://www[.]leemou[.]com/files/selector/) is clearly not a PayPal domain.

However, if victims are gullible enough to enter their credentials, a general information gathering form is then displayed.  The landing page at first asks for the victims’ billing information and credit card details, but later takes the campaign a step further and asks victims to fill in a social security number and card PIN number.

If they manage to collect that information, attackers take the scam to the next level, on the last page asking victims to upload photos of their valid government issued photo ID, passport, driving license or credit card.

“What might be a bit unfortunate from the standpoint of a potential victim is that after the user uploads a file, the page is refreshed but no confirmation is displayed,” said Kopriva. “This means that a less vigilant user might upload multiple photos of documents while thinking that their previous attempts were invalid for some reason.”

PayPal phishing

It’s far from the first scam to involve PayPal. In November, a Utah eye clinic informed 20,000 patients that they were the victims of a data breach that happened a year and a half ago and linked patients to a scam involving PayPal. Recently, the prolific phishing gang known as 16Shop has also added PayPal customers to its target set. Kopriva said he has reported the phishing scam to PayPal. PayPal has said that legitimate emails will always come from a address and will also address customers by their first and last names. Emails will also never ask users for sensitive information like their bank account or password, or contain any attachments, PayPal said in a post about scams on its website.

“Though verifying a correct sender address is important, it’s not enough. It’s important to look at the entire email,” according to PayPal. “When you check your account, always enter “” into your browser instead of clicking a link in an email.”

Phishing campaigns continue to hit businesses and personal consumers, usually using updated, tricky tactics to avoid detection or luring victims with trending themes like coronavirus, sporting events like the World Cup and more.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.


  • Alex ray on

    This is really old news it's been going on for almost 5 years......
  • Trish on

    I happened to fall victim to this phishing scam, what if I exited halfway through when I realized something is wrong? I am fairly concerned that I have entered my bank account and routing number as well as SSN. What can I do to protect myself from identity theft?
  • Iteme james on

    Please how can I successfully open a real PayPal account. Thanks
  • jeremy walsh on

    My total lost with these three companies was USD832,576.91 as of july 9, 2019. I needed a major portion of this balance to pay off the down-liners who were threatening to file charges for misleading as well as fraud. Their combined balance is approximately USD600, 000. A top wealth recovery company in the US brilliantly helped recoup 92% of my lost capital to these fraud companies all within a 2 week period. I can't thank you enough Scams Rescue enough. I am typing this with tears rolling down my cheeks! Please stay away from crypto investment scams to avoid the agony and pain I went through! Contact; info AT scamsrescue DOT com
  • Melinda Dailey on

    I recieved a voicemail from a supposed customer service rep at paypal saying there was a hold on my acct. However when i called the number back it a tually went to paypal, or someone acting as paypal. Then after calling the actual paypal number on the back of my card, they had no idea what i was talking about. No hold on my acct and no record of anyone trying to contact me from paypal.
  • Rosalynn on

    Trish I fell victim also not paying attention but I changed passwords called my bank and reported my card stolen and went to credit karma and locked my information so no one can use my social security without me unlocking it
  • Joe on

    Did anything happen because of this?
  • Anonymous on

    I put my information in an email that was spam everything but credit card information. I’m special needs and wasn’t paying attention until it moved to the credit card information. I’m scared did anyone have any issues yet? What do I do I put a alert on my money account. I reported it to PayPal. Is that enough?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.