New PayPal Phishing Campaign Asks for Passport Photo, Driver’s License

A new PayPal phishing campaign is taking a novel but direct approach to fraud by asking users, in good grammar, to provide Social Security and PIN numbers, passport and driver’s license data, and even upload photos of official documents to prove they’re telling the truth.

Most phishing campaigns follow the same recipe, with bad actors looking to convince users to share sensitive information, normally consisting of banking data. But this latest PayPal phishing campaign goes further and aims to convince people to upload photos and share other information such as their Social Security number.

Jan Kopriva from tech company ALEF NULA shared the red flags that people should be watching for in this campaign. Besides the fact that neither PayPal nor any other company requires users to submit sensitive banking information online, the source of the email is the first issue, as it comes from the “” domain.

The email says your PayPal account has been locked following an unauthorized login from a new device or browser. A button with the text “Secure and update my account now” is listed at the bottom of the email. Unlike many other phishing scams, this one lacks grammar errors.

When users click on the button, they’re sent to a page that looks very much like it belongs to PayPal, but it’s not. The original link is hidden under a shortcut, but redirects to hxxps://nadhirotultaqwa[.]com/usrah/redirect[.]php

Users are even required to provide the Social Security number and the ATM or debit card PIN. To complete the scheme, users are asked to upload photos of the actual documents, including the credit card, passport, driving license, and government-issued photo ID.

No financial institution, private or governmental, will ever ask users to submit financial details, let alone copies of documents. The good news is that if you keep your Internet browser up to date and use a security solution, you will be able to spot these types of phishing schemes with ease.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Silviu STAHIE. Read the original post at: