PayPal Panic: New Phishing Wave Uses Fake €1,685 Air France Charges to Harvest Credentials

A new and highly targeted phishing campaign is causing alarm among PayPal users across Europe, leveraging fake transaction notifications for an Air France purchase of €1,685. The scam exploits the psychological principle of panic, urging recipients to act quickly to dispute a charge they never authorized.

The attack vector begins with an email that closely mimics official PayPal correspondence. The subject line typically reads something like 'Your Payment of €1,685 to Air France Has Been Processed.' Inside, the email includes a detailed transaction summary, complete with a transaction ID, date, and even a fake customer service number. The goal is to create a sense of urgency and legitimacy, pushing the user to click a 'Dispute This Transaction' button.

Clicking the button does not lead to PayPal's legitimate website. Instead, victims are redirected to a sophisticated phishing page that replicates the PayPal login interface. Any credentials entered are captured by the attackers, who can then use them to access the victim's real PayPal account, make unauthorized transactions, or sell the information on the dark web.

Consumer protection agencies in Germany, Austria, and Switzerland have been the first to issue public warnings. The scam appears to be spreading rapidly through email lists, likely obtained from previous data breaches. The use of a specific, high-value amount (€1,685) is a deliberate tactic: it is large enough to cause panic but not so astronomical as to seem implausible.

From a technical perspective, the phishing pages are hosted on compromised WordPress sites or newly registered domains that mimic legitimate URLs. The attackers are also using SSL certificates to display the padlock icon, further deceiving users into believing the site is secure.

For cybersecurity professionals, this campaign highlights the need for continuous user education. Organizations should implement multi-factor authentication (MFA) on all financial accounts, deploy email filtering solutions that detect lookalike domains, and conduct regular phishing simulations. Users should be reminded to never click links in unsolicited emails; instead, they should open a browser and log into their account directly.

PayPal has acknowledged the campaign and is working with hosting providers to takedown fraudulent domains. However, the attackers are likely to shift tactics, using new domains and slightly modified email templates. The key takeaway is that vigilance remains the most effective defense.