An account posing as PayPal used a paid promotion on Twitter to bait users into sharing their personal information under the guise that they were entering an end-of-year contest, The Next Web reported this week.
TNW reporter Matthew Hughes first reported the since-deleted promoted tweet from @PaypalChristm, which he said populated in his timeline. The tweet had several obvious signs of being a scam, which Hughes noted included not only its shady unverified account “with fewer than 100 followers,” but also a sketchy-arse promotional image seemingly designed to insinuate that a car and iPhone were up for grabs. A link included in the tweet reportedly led to a page that appeared similar to that of PayPal’s login page, and requested users input their personal information and credit card details:
Clicking through on the phishing link, you get to a page that – at least, superficially – looks like the legitimate PayPal login site. The scammers had very clearly gone to great efforts to make it look like the real deal. The most obvious clues that it was a scam were in the lack of HTTPS and the URL.
I logged in with obviously bogus credentials and was presented with – again – a superficially legitimate-looking page that asked me to confirm my credit card details. This suggests that the attackers weren’t merely interested in accessing PayPal accounts, but also wanted to be able to exploit the victim financially outside of the popular fintech platform.
Twitter confirmed to Gizmodo that the tweet was promoted on its platform for what it said was a roughly 30-minute window before it was taken down. The company said that it took “appropriate measures” to ensure that the account would no longer be able to advertise on the site, and the account was suspended as of Wednesday evening.
Despite what may seem like telltale signs to an informed observer, phishing scams can be incredibly deceptive to unsuspecting victims. The U.S. Federal Trade Commission recently warned of a phishing scam masquerading as a support email from Netflix asking users to update their payment information, despite the fact that the company states on its website that it will never ask users for their personal information over email. While Twitter said it has a “robust” system in place to catch this kind of fraudulent behaviour, it does sometimes slip through the cracks.
PayPal did not immediately return a request for comment about the incident, but we’ll update this post if we hear back.