Fake PayPal Cryptocurrency Payment Receipt Coerces Victims to Make Contact Via Phone

In this attack, attackers impersonated PayPal to send what appears to be an invoice for a recent cryptocurrency purchase. The email was sent from a Gmail account and states that a purchase was made for $863.50 (0.023 Bitcoin). The email goes on to state that if the recipient did not authorize the purchase, they should call a “representative” at the phone number provided.

Text-based attacks generally cannot be detected by a secure email gateway due to the lack of other indicators of compromise. The email was sent from a freely-available Gmail account and, as a result, there is no bad domain reputation for traditional security providers to discover. Plus, the email passes all authentication checks for SPF, DKIM, and DMARC.

To detect this attack, it is necessary to understand new threats alongside content analysis to detect the tone of the email and the included phone number. In addition, lookalike content can help explain how this attack relates to other phone-based text attacks, which have become increasingly popular in recent months due to their ability to bypass email gateways.

If the target calls the number provided, they will probably be instructed to download malicious software. Once the malware is installed, attackers can perform a variety of nefarious actions, including escalating it into a ransomware attack.