A new scam targeting PayPal customers has been identified, using convincing Google search ads and specially-crafted PayPal pay links to deceive users. This scheme is particularly dangerous on mobile devices due to their limited screen size and the lower likelihood of having security software installed.
The scammers create ads that impersonate PayPal, often using hacked advertiser accounts. These ads display the official PayPal website but are entirely fraudulent. A weakness in Google’s policies for landing pages allows anyone to impersonate popular websites as long as the landing page and display URL share the same domain.
“Essentially, crooks are abusing this feature to create a bogus pay link,” the report states. “They can customize the page by creating various fields with text designed to trick users, such as promoting a fraudulent phone number as ‘PayPal Assistance.’”
The scammers exploit PayPal’s “no-code checkout” feature, designed for merchants to accept payments online or in person without needing a developer or coding knowledge. The fraudulent pages created by the scammers have the format “paypal.com/ncp/payment/[unique ID],” which makes them appear legitimate to unsuspecting users.
The report highlights the danger of this scam on mobile devices, where the limited screen size can make it difficult to distinguish between legitimate and fraudulent ads and websites. “Screen size plays a factor again when users click on the ad and look at the browser’s address bar correctly identifying that the site is ‘paypal.com’,” the report explains. “As we saw above, pay links are on the same domain as paypal.com, from which they inherit trust.”
Malwarebytes Labs researchers did not contact the fraudulent phone number provided in the ads but believe that victims who call are likely tricked into handing over their personal information and being scammed.
Users should always double-check the URL of any website before entering personal information or making payments.
