Beware of the Clever "New Device Signed in to Your Stripe" Phishing Scam

As a whole, cybercriminals don’t tend to discriminate in their choice of targets. Between those who specialize in corporate extortion or prefer brutalizing small companies, government institutions, or performing DDOS attacks, and the ones that attempt to con private individuals out of their money with social engineering, hackers generally have pretty much all bases covered when it comes to targets. However, there’s no denying that some targets seem to be more preferred than others – and payment processors seem to be one of those. Case in point – phishing attempts targeting potential Stripe users have become so common that Stripe itself has been forced to include a guide on how NOT to get phished on its own website.

And to be fair, there’s actually a very good reason for the company doing this – there have been at least three massive phishing campaigns of pretty high sophistication targeting potential stripe users in the last year or so. All of them involved some pretty legitimate-looking email messages, urging the user to confirm their login details, lest something undesirable happen to their account. Those emails provided obfuscated links to rather legitimate-looking landing pages designed to grab the user’s credentials and deposit them in the cybercriminals’ grubby hands.

The hackers displayed an impressive level of sophistication at this point, especially in this latest campaign that hit emails in early March 2020. Yes, you can easily spot the difference between the landing page and the legitimate Stripe login page when you compare them side by side, but the fake one is more than good enough to deceive even suspicious users. It’s well formatted, uses the correct fonts, and features hyperlinks and disclaimers. Only the colors and proportions of some of the buttons are a bit off, but that can easily be explained with subtle design changes, and it’s the type of thing that companies do all the time.

Additional layers of social engineering can be added to deceive the targeted user – for instance, one phishing page redirected the user to the actual Stripe website, after the user had input their credentials, so as to not raise suspicion that something’s wrong.

To make a long story short – the hacker’s sophistication has already reached a level high enough to put off even suspicious users. So what can a user be expected to do to avoid getting their important financial information stolen? What are the best practices they could follow to avoid falling victim to a phishing scam, such as the one targeting Stripe Users?

Check the Web Address

There are many things that fraudsters can do to lend their bogus emails an air of legitimacy – use good grammar and the proper logos, format the emails in a legitimate manner, even employ personal information about the target acquired from somewhere else, obfuscate links, etc. However, there’s one thing that is a dead giveaway that the email is fraudulent that they can’t do anything about – and that’s the source of the email. All decent email clients provide the user with a source for the communication – and if that source is suspicious, then the email is almost certainly a phishing attempt or another type of attack. As Stripe themselves put it on their official page, “Is it pointing to a page at stripe.com?” If not – then ignore it. Better yet – delete it, so that you don’t accidentally click it at a later point.

Don’t Click Links

When alerted that you need to do something by an email, don’t click the link provided in it. Instead, take the time to actually go to the platform that purports to have sent the message to you and check things out there for yourself. Go to your bookmark, or type in the proper address and log in to your account that way. Unless you solicited the email just now (for the purpose of changing a forgotten password, for instance), treat any links provided in an email with the utmost suspicion. Always check where they purport to lead, and if you catch wind of anything untoward – bin the email.