An alarming new technique is gaining momentum: threat actors are sending “double-spear” phishing emails using real, trusted corporate domains to disarm victims

Since June 2022, researchers from Check Point Software have been detecting hackers that are using a genuine PayPal domain to send fake invoices and request payments for spear phishing campaigns.

By using free PayPal accounts that they have signed up for, hackers have been sending phishing emails spoofing well-known brands to appear legitimate. A sense of urgency is incorporate by providing an actual phone number for victims to call for verification. In some cases, the recipients of the emails end up calling the listed telephone number and paying what the fake invoice indicates.

This attack is what hackers on the Dark Web call a “double spear”: catching not only an active email address but also the victim’s phone number—data which can be used for future attacks.

End-users of PayPal and similarly established websites are even more vulnerable now because what was previously considered a legitimate source by both security services and end-user, is now a potential threat where phishing invoices are created.

Similarly, users of QuickBooks had been similarly targeted: threat actors created accounts in the official website in order to send emails originating from the brand, impersonating other well-known brands such as Microsoft, and attaching invoices and requests for payment.

So are there ways to prevent yourself from getting phished? According to Clement Lee, Principal Consulting Security Architect (APAC) Check Point Software Technologies there is no foolproof way, but the following cyber hygiene practices can protect corporate users and their employers:

  • Before calling an unfamiliar service, search for the number online and check your accounts to verify if there are any charges
  • Implement advanced security solutions that checks for more than one indicator to determine whether an email is clean or not
  • Encourage all staff to check with IT department when they are in doubt about the legitimacy of an email.