A newly discovered PayPal Inc. phishing scam is not only targeting login credentials but also personally identifiable information and payment card data.

Discovered and publicized Dec. 20 by security researchers at ESET spol s.r.o., the phishing campaign targets users with crafted emails that claim that the PayPal account belonging to a user has experienced “unusual activity.” The email then asks the target to log into the account to protect it.

Those who click on the link in the email are taken to a phishing page designed to look like the PayPal login page to enter their details, a fairly typical phishing process at this point. But then it gets a bit more interesting or, as the researchers describe it, “ambitious.”

After entering their details, users are then asked to “verify your account” by providing additional personal information. The information asked for includes billing address, credit/debit card details and email address. At the end of the process, a screen appears stating that the now phishing victims have had their PayPal account restored.

There are some giveaways during the process that all is not as it seems. For one, the URL used isn’t one related to PayPal and there are some misspellings on the various screens as well. Reflecting a trend regularly seen this year, the URL has an authentic Secure Sockets Layer certificate complete with a green padlock in an effort to convince users that it is the real deal.

“As shoppers finalize their online orders and review their purchases made ahead of the holidays, it is important to keep a close eye on their transactions as they manage their personal finances,” Matthew Gardiner, director of enterprise security at cybersecurity firm Mimecast Services Ltd., told SiliconANGLE. “Shoppers should be increasingly vigilant in monitoring their activity and be cautious of alert emails received, always checking to ensure they are from a legitimate source.”

Since PayPal offers shoppers a secure platform that avoids their having to provide their information to retailer sites, he added, it’s natural for people to assume that an alert from the service is legitimate. “However, with the hustle and bustle of the holiday season, phishers can take advantage of the busy, unaware shopper who may not be monitoring and flagging fraudulent transactions, and instead fall victim to a false alert scheme,” he said.

Image: Tim Reckmann/Flickr