A new phishing scam targets PayPal users, stealing login credentials and asks the potential victim to take a selfie while holding the card.

PhishMe, a security research firm, first discovered the fraud which is also the evolution of typical phishing scam that extends the attempt at data theft using only username and password - targeting PayPal users.

Like Us on Facebook

Similar to most phishing scams, the attack starts with an email that seems to come from PayPal. It has the details of the company's address and logo, but the content has a number of spelling and grammatical errors. There is a button at the end of the message saying "Let's Get Going." By clicking on it, the potential victim will be directed to fake a PayPal login screen which appears to be legit but the domain is not related to PayPal.

The login page steals all the user's credentials once entered, and the scam does not stop there. Another PayPal-branded page will appear following the login screen. In here, the user will be asked to verify the account by entering the billing address, complete name, as well as credit card number.

When the user surrenders all these information, they will be directed again to another verification process that asks the user to take a selfie for identity confirmation. The page has several directions on how to take a snap correctly while holding their card - to make sure that the ID and credit card are visible to the photo.

After uploading the photo, the user will be then directed to the official PayPal login screen to enter their username and password to make it seems like the validation process is legitimate

Security researchers from PhishMe advised users to be vigilant when interacting with emails especially if it contains suspicious attachments and links - like those asking to validate information.

Furthermore, users should visit the direct website rather than following the link in the email. Setting up two-step verification on PayPal is also recommended - requires additional login code to access the account - to add a layer of protection to their personal information when user's password is compromised.