Sophos reports that criminals are attempting to trick PayPal users into calling a phone number and revealing credit card account information.
The tactic follows the same patterns as a recently detected "phone phishing" attack targeting customers of the Santa Barbara Bank & Trust. The attack on PayPal, writes The Register, "shows that the approach is going mainstream."
The email, which purports to come from PayPal, claims that the recipient's account has been the subject of fraudulent activity. However, unlike normal phishing emails, there is no internet link or response address. Instead, the email urges the recipient to call a phone number and verify their details. When dialled, users are greeted by an automated voice saying:
"Welcome to account verification. Please type your 16 digits card number."
Once the credit card details are entered, the scammer is free to steal the information for their own gain. If incorrect card details are entered, a request for re-entry is made, further enhancing the legitimacy of the fraudulent telephone number, which is still live.