The Singapore Police Force (SPF) and the Cyber Security Agency of Singapore (CSA) have issued an alert on a scam involving compromised PayPal accounts.
In these cases, victims would receive automated notifications from PayPal either in the form of emails or PayPal’s inbox messages, informing them of various activities such as profile changes and receipts for transactions on their accounts.
Upon checking their PayPal accounts, some victims discovered that funds from unknown sources were deposited, or that funds were being transferred to unfamiliar bank accounts added by the cybercriminals.
Subsequently, the cybercriminals would initiate a chargeback request. The victims would then receive an automated notification, and funds were recovered from their accounts, resulting in a deficit balance.
SPF said that a total of 27 such cases were reported from January 1 to February 9. 2024.
Law enforcement agencies have identified that compromising online credentials and passwords could be due to several reasons like using weak passwords, visiting phishing websites or downloading files infected with malware.
They had also warned about re-using the same password for multiple online accounts which may lead to data theft,
Currently, the public has been advised to adopt preventive measures such as implementing additional security features to PayPal accounts by enabling passkeys and two-step verification, using strong passwords consisting of at least 12 characters with uppercase and lowercase letters, numbers or symbols, and using different passwords for each of online accounts.
"Even if your PayPal account is inactive, you should still change your passwords from time to time as a best practice," CSA said.
It also recommends removing any devices that are no longer used or are not recognised in PayPal account’s “trusted device” list.
PayPal had recently in December 2023 revealed a credential stuffing attack on its servers that affected nearly 35,000 PayPal accounts, exposing personal information including names, addresses, social security numbers, tax identification numbers, and users' birth dates.
The company said unauthorised parties accessed PayPal customer accounts, but there is no evidence that login credentials were obtained through any company systems.
