Phishing attacks are becoming more dangerous and convincing by the day. Some say it’s due to the rise of AI tools like ChatGPT, while others believe that growing user awareness is forcing attackers to adapt in order to remain effective.

In recent weeks, several friends and clients - including seasoned IT professionals - have asked me: “Is this link real? I’m not sure. The email looks legitimate, and the link appears to go to the correct address. Why wouldn’t it be safe?”

I tried to explain how and why phishing works, and what to watch out for - until I received an email myself that looked exactly like a genuine PayPal transaction notification. I analyzed it closely and thought: This one is really well crafted. Everything seemed consistent - the branding, the layout, even the structure of the links.

But upon closer inspection, the truth emerged: it was a cleverly disguised scam.
In this article, we’ll analyze the deception and show how attackers exploit trust to steal login credentials.

There are four main techniques that make this type of attack effective:

1. Cloaking / Redirects / Open Redirects
   Attackers exploit legitimate domains like paypal.com , but includes a redirect to a malicious domain - often obfuscated or Base64-encoded.
   
   Example: "https://www.paypal.com"/redirect?url=https://malicious-site.com
   The user sees „paypal.com“, clicks - and is instantly redirected.
    
2. URL Obfuscation in Emails
   In HTML emails, the visible link text may appear as: https://www.paypal.com.

   But the actual hyperlink behind the text could point to something like: https://scamdomain.com/fake/paypal/login. This discrepancy is only visible in the email source code or when hovering over the link with the mouse.

3. Homograph Attacks / Unicode Spoofing
   Some phishing emails use deceptively similar domain names with Unicode characters. For example: https://www.pаypаl.com ← (dthe “а” characters are Cyrillic, not Latin). To the human eye, it looks identical to "paypal.com" - but it's a fake domain.

4. Compromised Legitimate URLs as Entry Points
   Sometimes, attackers direct users to a real PayPal page with valid parameters, but inject malicious content through external scripts:

• An embedded iframe
• A triggered file download
• A fake login window prompting for credentials
• Or an automatic redirect via JavaScript or a meta-refresh tag

Subject: PayPal e-Gifts: ₱525.00 PHP
Sender: service@paypal.com
Link: "https://www.paypal.com / mobile-app/package-tracking/list ?source=receipt_email_orders&txn_id=3NE98259KD591341B"

At first glance, it looked completely legitimate. The URL resembled a real PayPal tracking page, complete with typical tracking parameters (utm_source, utm_medium, etc.). But here’s the catch:

• This URL can be faked within the HTML of the email
• It’s also possible that a redirect or script injection is taking place via a compromised third-party service

Behind the HTML link was actually:
"https://trackingshipmentpaypalservices.com/3NE98259KD591341B"

This domain does not belong to PayPal. It’s a phishing site that mimics the PayPal design to steal login credentials. The method is simple but effective:

• The visible text looks like a PayPal link
• The actual href in the HTML points to a different domain

Lesson: Never trust the visible link text—always check the real destination!

Although the email appeared professional, technical analysis revealed clear phishing indicators:

• From: service@paypal.com (spoofed)
• Reply-To: richardkrpata[][][][]@yahoo.com ❌
• SPF: SoftFail ❌
• DKIM/DMARC: Pass ✅ (aber wahrscheinlich über Outlook gespooft)
• Link führt zu Phishing-Seite ❌

The evidence suggests that a compromised Microsoft tenant or Yahoo account was used to bypass email filters.

• Brand Imitation: High-quality PayPal branding (logo, fonts, layout)
• Familiar URL Structure: Mimics real PayPal transaction links
• Technical Deception: DMARC and DKIM passed — creating a false sense of security

This combination significantly lowers the recipient’s guard.

• Never click on links in unexpected emails
• Hover over links to reveal the actual destination before clicking
• Check the Reply-To and Return-Path headers – if they differ from the sender, proceed with caution
• Report phishing attempts to: spoof@paypal.com
• Enable two-factor authentication on your PayPal account

Would you like to secure your business more effectively? Contact me - I’ll support you with the analysis, prevention, and defense against modern phishing threats.