Phishing scams are nothing new, but it’s certainly unusual to see them show up in your Twitter timeline as a promoted tweet. Nevertheless, earlier this evening, I came across this promoted post from the (since deleted) account @PaypalChristm.
The account purported to be a legitimate PayPal account and promoted an end-of-year sweepstakes event. While it didn’t explicitly say what the prizes were, it dangled the prospect of a new car and an iPhone in-front of the potential marks. To be in with a chance of winning, all you must do is verify your details.
Except, it’s a fake. Sorry, I said the words. I’ve got to use the GIF here.
Yeah, anyway. There were several tell-tale clues that @PaypalChristm wasn’t exactly kosher. For starters, in the phishing URL, it misspelled “PayPal” as “Paypall.” Furthermore, the tweet came from an unverified account with fewer than 100 followers. And then there’s the fact that the image on the promoted tweet just wasn’t congruent with PayPal’s distinctive branding. It looked like something someone knocked up in MS Paint in less than ten minutes.
Clicking through on the phishing link, you get to a page that – at least, superficially – looks like the legitimate PayPal login site. The scammers had very clearly gone to great efforts to make it look like the real deal. The most obvious clues that it was a scam were in the lack of HTTPS and the URL.
I logged in with obviously bogus credentials and was presented with – again – a superficially legitimate-looking page that asked me to confirm my credit card details. This suggests that the attackers weren’t merely interested in accessing PayPal accounts, but also wanted to be able to exploit the victim financially outside of the popular fintech platform.
PayPal is a huge, globally recognizable financial services brand, with hundreds of millions of users. It’s no surprise that someone would seek to capitalize on its name in order to scam ordinary folks. Indeed, PayPal phishing scams have floated around people’s inboxes for years. Decades, even. Perhaps it was only a matter of time until they made the leap from the inbox to the newsfeed.
This incident fits into a larger trend of digital ne’er-do-wells using promoted tweets as part of their schemes. The most notable example of this features a compromised (and almost always verified) Twitter account that’s been modified to look as though it belongs to Elon Musk. This then invites the public to send Bitcoin (or another major cryptocurrency, like Ethereum) to a specific wallet in order to get a greater sum back.
While Twitter has been clamping down on the now-notorious Elon Musk scam, the one highlighted in this post obviously managed to slip through the cracks. I’m certainly curious as to how this happened as, at least from the outside, it certainly looked like an obvious PayPal phishing scam.
TNW has reached out to PayPal and Twitter for comment. When we hear back from them, we’ll update this post.