PayPal users are warned of new no-phish phishing attacks.Getty ImagesUpdate, Jan. 10, 2025: This story, originally published Jan. 9, now includes a statement from PayPal and further background information regarding phishing mitigation for users.When is a phishing attack not a phishing attack? That is the question posed by Fortiguards chief information security officer after he was targeted by a new attack using a legitimate PayPal feature from a legitimate address with a seemingly legitimate URL as well. Heres what you need to know about the phish-free PayPal phishing attack.The Evolution Of Phishing AttacksPayPal Users Now In The CrosshairsPhishing attacks are getting ever more clever in their approach, as a recent news article highlighting how genuine Google security prompts are being used to scam victims to give up their account credentials revealed. While the do-not-click advice is, as always, the baseline for anti-phishing best practices, its no longer good enough when legitimate features are being exploited by hackers in no-phish phishing attackers. Let this example of just such an attack, using legitimate PayPal functionality, be a warning to you: if the CISO of a security company thinks its highly dangerous then so should you.A genuine email cant still be a problem, can it? Thats the question that Fortiguard chief information security officer, Dr. Carl Windsor, posed in a new warning posted to the Fortiguard Labs Threat Research blog, Jan. 8. Reporting how the email in question, purporting to be from PayPal and the sender address appears to be valid and not spoofed, and using a genuine PayPal money request feature, could fool his mother, the standard test he uses in such circumstances, Windsor warned that the attack doesnt use traditional phishing methods. In fairness, it sounds pretty fishy to me so far, but lets explore further to see what Windsor means.The No-Phish PayPal Phishing ScamThe email, the URLs, and everything else is perfectly valid, Windsor explained, and when you click on the link (dont do that,) the victim is redirected to a PayPal login page showing a request for payment. The trick being employed by the attackers here is that your PayPal account address is linked to the address it was sent to rather than the one it was received at. The victim might not notice that the email was addressed to a user who had registered a free Microsoft 365 test domain to create the distribution list that contained the target emails. By then using the legitimate PayPal payment request feature and using this list as the recipient address, everything looked completely legitimate. Apart from the to: address field, which the victim can easily miss unless they happen to be a chief information security officer, or at least youd hope not. The payment request, in this case, was for $2,185.96 which is large enough to be profitable at scale yet small enough not to raise too much suspicion for many corporate targets.PayPal phsihing withoiut the usual phishing tactics.Fortiguard Labs Threat ResearchAs a trusted commerce platform, PayPal takes pride in our work to protect our customers from evolving scams and fraud activity, including this common phishing scam, a PayPal spokesperson said, We encourage customers to always remain mindful online, especially this time of year, and to visit PayPal.com for additional tips on how to protect themselves.Mitigating The PayPal Phishless Phish AttackBy way of background, PayPal told me that it takes all the necessary steps to protect customers as scammers continually evolve their attack methodologies. This involves a number of things, used in combination, such as manual investigations and technology-led protections. Paypal is also proactive when it comes to limiting accounts and declining transactions that are deemed to be potentially risky. PayPal customers have likely already seen some of these fraud detection technologies in action, such as the fraud reminder notifications and advice that come part-and-parcel with global invoice and peer-to-peer money requests.The best solution is the Human Firewall, Windsor said, someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look.Elad Luz, head of research at Oasis Security, meanwhile, warned that exploiting a vendor feature and sending from a verified source makes these attacks difficult for mailbox providers to distinguish from genuine communications, leaving PayPal as potentially the only entity capable of mitigating the issue.As well as resources detailing how to spot a fake PayPal email and how to keep scammers from gaining access to your PayPal account PayPal advises customers to:Remain mindful when being asked to participate in a transaction, particularly with someone they dont know or to whom they do not owe any money.Not pay any unexpected or suspicious invoices or payment requests, but also not respond to those requests in any way, including the sharing of personal information.If a customer has shared personal information or clicked links, they should change their account password and contact PayPal as well as their financial institution immediately.Enable two-factor authentication.Report any phishing emails to the PayPal security team by forwarding them to phishing@paypal.com and then deleting them.