PayPal's “No-Code Checkout” Abused by Scammers
Summary:
Malwarebytes has uncovered a new campaign that exploits Google ads, directing victims to specially crafted PayPal payment links. These links trick users into calling fraudsters posing as legitimate customer service representatives. The victims are led to a page formatted as paypal[.]com/ncp/payment/[unique ID], which is part of PayPal's “no-code checkout” feature. This feature is intended to provide merchants with a simple yet secure way to accept payments. However, cybercriminals are misusing it to generate fake payment links, customizing the page with deceptive text fields, including a fraudulent phone number disguised as “PayPal Assistance.” While Malwarebytes did not personally follow-up and call the listed phone number, it suspects victims are ultimately duped into giving up their personal information which can be used for illicit purposes.
Security Officer Comments:
The development highlights a trend in actors exploiting legitimate PayPal features to target end users. Just recently, BleepingComputer reported of a PayPal email scam that was taking advantage of the platform’s gift address feature to send fraudulent emails impersonating PayPal customer service. These emails aimed to gain remote access to victims' systems through tools like ConnectWise ScreenConnect. The latest campaign shares a similar motive, taking advantage of PayPal's no-code checkout feature, which allows users to easily create custom pay links, buttons, and QR codes, with no coding experience required. Since these pay links reside on the same domain as PayPal (paypal[.]com), this increases the likelihood of end users falling victim.
Suggested Corrections:
Users should be cautious when clicking on Google ads, as cybercriminals can easily purchase them to promote phishing pages. Malwarebytes highlights that this campaign is especially effective against mobile users. Due to the limited screen space on mobile devices, the first search results often include Google ads and the "AI overview" feature, making it more likely that users will click on these links. With actors actively purchasing ads mimicking official brands like PayPal, it is important that users scroll past these ads and select more trusted organic results instead.
Link(s):
https://www.malwarebytes.com/blog/scams/2025/02/paypals-no-code-checkout-abused-by-scammers
Malwarebytes has uncovered a new campaign that exploits Google ads, directing victims to specially crafted PayPal payment links. These links trick users into calling fraudsters posing as legitimate customer service representatives. The victims are led to a page formatted as paypal[.]com/ncp/payment/[unique ID], which is part of PayPal's “no-code checkout” feature. This feature is intended to provide merchants with a simple yet secure way to accept payments. However, cybercriminals are misusing it to generate fake payment links, customizing the page with deceptive text fields, including a fraudulent phone number disguised as “PayPal Assistance.” While Malwarebytes did not personally follow-up and call the listed phone number, it suspects victims are ultimately duped into giving up their personal information which can be used for illicit purposes.
Security Officer Comments:
The development highlights a trend in actors exploiting legitimate PayPal features to target end users. Just recently, BleepingComputer reported of a PayPal email scam that was taking advantage of the platform’s gift address feature to send fraudulent emails impersonating PayPal customer service. These emails aimed to gain remote access to victims' systems through tools like ConnectWise ScreenConnect. The latest campaign shares a similar motive, taking advantage of PayPal's no-code checkout feature, which allows users to easily create custom pay links, buttons, and QR codes, with no coding experience required. Since these pay links reside on the same domain as PayPal (paypal[.]com), this increases the likelihood of end users falling victim.
Suggested Corrections:
Users should be cautious when clicking on Google ads, as cybercriminals can easily purchase them to promote phishing pages. Malwarebytes highlights that this campaign is especially effective against mobile users. Due to the limited screen space on mobile devices, the first search results often include Google ads and the "AI overview" feature, making it more likely that users will click on these links. With actors actively purchasing ads mimicking official brands like PayPal, it is important that users scroll past these ads and select more trusted organic results instead.
Link(s):
https://www.malwarebytes.com/blog/scams/2025/02/paypals-no-code-checkout-abused-by-scammers