A new phishing email is targeting PayPal users trying to trick them into calling a phone number and revealing their credit card information.

Security company Sophos says the email purports to come from PayPal and claims the recipient’s account has been the subject of fraudulent activity.

Unlike normal phishing scams, there is no internet link or response address, but instead a prompt to call a phone number and verify their details.

When dialled, users are greeted by an automated voice saying: ‘Welcome to account verification. Please type your 16 digits card number.’

If victims fall for the ruse, the scammer can steal the information and go on a spending spree. To appear legitimate, users are asked to re-enter their details if incorrect details are given.

Although the telephone number is American, Graham Cluley, senior technology consultant at Sophos says the fact that PayPal is global means people are more likely to be tricked.

‘This scam underlines a real problem for online companies in how they communicate with their customers. Many users are beginning to learn not to click on links in unsolicited emails, and only visit legitimate web sites, but how many would know whether a phone number for a web site is genuine or not,’ said Cluley.

He says it’s the first time a scam of this nature has targeted PayPal, but says it has been used to try and trick customers of some large American banks.

‘It it taking it to a new scale in the number of people it tries to trick because PayPal is global,’ he said.

He says this type of attack is likely to escalate with hackers ‘harvesting’ messages from corporate switchboard systems to sound even more like the legitimate company.

‘Phishers are changing their tactics. With voice over IP, they can set up a fake company switchboard on a computer,’ he warned.

‘The problem is that users know the url of their favourite websites, but they don’t easily know their telephone numbers,’ he said.

Cluley says online companies can improve the security of communication with their customers through increasing use of private messages.

‘If a customer is told via email that there is a message waiting for them and they have to log in to the site to get it, there is less scope for scams,’ he said.

What do you think? Email us at: feedback@computing.co.uk