Recently, one of my colleagues shared a fraudulent email they received from PayPal. What was interesting, is that unlike other phishing scams, this email was able to pass email authentication measures and get delivered. While this is far from the most common form of phishing, it’s not an isolated incident… platforms like this can, and do, get abused.
Here’s the delivered message:
The goal of this email is ultimately to defraud the recipient and put money in the pocket of the sender, money that the sender is not entitled to.
So how does this happen?
Because of the way PayPal, and even some other platforms like LinkedIn, have configured their systems, it’s possible for bad actors to generate fraudulent content, and then use the platform to push their content to victims.
Technically, PayPal has done everything right in regards to how they send their mail. How they validate and filter content is another story. They’ve gone through the email authentication process and ensure that messages generated on their end can be delivered to the targeted recipient. We can even use Valimail’s Domain Checker to get more information about where the message came from, and we can see that the message did indeed come from a PayPal IP:
The issue is that in this case scammers are using PayPal to push a fraudulent message out to unsuspecting recipients. If this were an actual letter, the scammer basically got an authentic PayPal envelope, they stamped and addressed it correctly so that it arrived at its destination, but the letter inside is fraud!
How to Prevent These Scams
The best way to prevent the messages from taking advantage of unsuspecting victims is to have tighter controls on the content of the messages being sent. This is a tough nut to crack though because the content looks so similar to legitimate PayPal content.
A point to remember when it comes to email authentication and DMARC, is that authenticated email means that the message is “from an authorized system,” but not necessarily “good.” For PayPal, messages like these are a common occurrence, and they even have blog posts on their end designed to help recipients.
A rule to remember here is that the bad guys only get paid when they win, so they are always, always, always going to be looking for ways to exploit the system.
Why You Need to Implement DMARC
With DMARC, domain owners can help mailbox providers identify and potentially stop fraudulent impersonation attempts that originate remotely from their platforms through publishing a strong DMARC policy record. While domain owners will still have work to do to try to stop the fraud, they’ll at least have visibility into it before it leaves their platform. The takeaways here are:
- With DMARC in place – bad actors are forced to take more difficult and less legal approaches to abuse you, like violating your terms of services or hacking accounts, in order to send mail using your domains.
- Without DMARC in place – fraudulent impersonation attempts can originate from anywhere, and there’s nothing the domain owner can do to prevent them. Attackers don’t need to find clever ways to abuse your domains. They can just send fraudulent email as you all day every day.
In order to stop impersonation attacks and phishing attempts coming from your domain, the best thing you can do is ensure you have a strong DMARC policy in place. Contact Valimail today to get a demo and learn how our experts can help you.