PayPal Impersonator Sends Unauthorized Transaction Alert Using Fake Outlook Email in Likely AI-Generated Vishing Attack
In this likely AI-generated vishing attack, the threat actor impersonates PayPal and emails the target regarding the registration of a PayPal Business account. Using the address "payplacconts12a@outlook[.]com", the attacker informs the recipient that their request to open a PayPal Business account has been successfully processed. The message claims that the account has been verified using the target’s social security number, and a merchant fee of $249.99 has been charged to their checking account. It also states that if the recipient did not initiate this process, they should contact PayPal immediately using one of the included phone numbers as they could be a victim of identity theft. Nearly every element of the attack is designed to create a sense of urgency and compel the target to immediately call one of the fraudulent support numbers. Should they do so, the threat actor can initiate the second stage of the attack, which involves either stealing sensitive information or trickling the target into downloading malicious software.
Older, legacy email security tools struggle to accurately identify this email as an attack because it contains no malicious attachments, employs sophisticated social engineering tactics, and contains legitimate-looking contact numbers for customer support. Modern, AI-powered email security solutions recognize the sender is unknown to the recipient, detect the mismatch between the sender name and domain, and identify content anomalies to correctly flag this email as an attack.
Likely AI-generated phishing attempt impersonating PayPal sent from a fraudulently-registered Outlook account
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Social Engineering Tactic: The email claims a significant financial transaction has occurred, creating a sense of urgency that prompts immediate action without careful scrutiny.
- Legitimate-Looking Contact Information: The email includes contact numbers for customer support, giving the appearance of a legitimate inquiry process that can bypass heuristic filtering.
How Did Abnormal Detect This Attack?
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Sender Name and Domain Mismatch: The sender name (PayPal) does not match the domain “outlook[.]com”, raising further suspicion during Abnormal’s analysis.
- Content Analysis: The email's urgent message about a large pending charge and the instruction to contact support if they did not initiate the sign-up process is flagged by Abnormal’s analysis algorithms as a common phishing tactic.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.