PayPal Spoofed in Credential Phishing Attack

January 15, 2021

PayPal is a well-known money transfer application, used often between friends and family as well as for small businesses. Because PayPal accounts are often linked to credit cards and bank accounts, the company itself is a commonly impersonated brand from attackers hoping to steal that information from unsuspecting victims.

In this attack, attackers use a method known as spoofing to impersonate PayPal, leading recipients to a phishing page.

Summary of Attack

  • Platform: Office 365
  • Bypassed Email Security: Ironport
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Spoof

Overview of PayPal Spoofing Attack

This email appears to be sent from PayPal (, which is a real PayPal domain), telling recipients that their account has been flagged and limited. However, authentication fails for this message and the actual sending domain is ‘’, a domain that has no correspondence to PayPal. The attacker is attempting to gain the trust of the recipient by making it appear as though PayPal has sent the email. This method—spoofing a real domain—can deceive the recipient into thinking the email is legitimate and coming from PayPal.

It may look as though the link within this email will take the recipient to, but the attacker uses a concealed link in an attempt to fool the recipient. When clicked, the link in the email actually leads the recipient to a phishing page at ‘’. This landing page looks nearly identical to the real website and asks the recipient to input their email or phone number and password.

For the casual observer, it'd be difficult to notice that this is a phishing site, as the only true indicator is the suspicious URL. If the recipient does click on the concealed link and input their credentials into this fake PayPal page, the attacker will then gain access to their PayPal account and all of the sensitive, personal information inside. For those unlucky victims with money sitting in the account, the attacker would be able to transfer those funds to an account under their control, or use the banking and credit card details to make purchases.

Why the Spoofed PayPal Attack is Effective

The attacker’s meticulous work in creating this fake PayPal website makes this attack very effective. The landing page may look nearly identical to the actual website, but the domain, ‘’, is, of course, not a PayPal domain. Without scrutinizing the real email address or the domain, the recipient may not notice that these are not actually from PayPal. Furthermore, because PayPal is commonly used for payment across the Internet, recipients who receive this may try to quickly fix their supposedly flagged and limited account, and therefore overlook signals that this is an email attack.

Abnormal was able to detect this malicious email due to a variety of factors, including the unusual sender domain and the suspicious link. In addition, the unusual authentication statuses and email sign off indicate that it may be malicious—causing Abnormal to block it before it reached end users.

To learn how Abnormal can block malicious emails for your organization, request a demo today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More
B Overhauled Architecture Blog 08 29 22
As our customer base has expanded, so has the volume of emails our system processes. Here’s how we overcame scaling challenges with one service in particular.
Read More