Attackers Abuse LiveChat to Phish Credit Card, Personal Data

THREAT INTELLIGENCE REMOTE WORKFORCE CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY NEWS Attackers Abuse LiveChat to Phish Credit Card, Personal Data A social engineering campaign impersonating PayPal and Amazon uses customer support interactions to acquire sensitive info. Elizabeth Montalbano,Contributing Writer March 16, 2026 4 Min Read SOURCE: RONSTIK VIA ALAMY STOCK PHOTO Attackers have found yet another innovative way to conduct phishing attacks by abusing the customer support platform LiveChat, using real-time social engineering to steal a range of sensitive user data. Researchers from Cofense's Phishing Defense Center (PDC) discovered a campaign that impersonates Amazon and PayPal to engage with victims via online chat, coercing them through what seems like a trusted, personal interaction to share data such as account credentials, credit card details, multifactor authentication (MFA) codes, and other personally identifiable information (PII), according to a blog post published today. The campaign demonstrates how attackers are constantly refining tactics to create phishing threats that "are no longer easy to spot," Cobi Aloia and Mark Deomampo of the Cofense PDC wrote in the blog post. Indeed, phishing is one of the oldest security threats to user endpoints but remains highly successful, due to the often simple yet psychologically effective tactics attackers have adopted. Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 In this case, the attacks leverage a number of diverse yet commonly used phishing tactics — including brand impersonation, social engineering, credential theft, and identity theft, among others — "that demonstrate the rapid evolution and integration of threats," the researchers wrote. Two Attack Vectors, Same Outcome Cofense specifically identified two different attack vectors for the campaign, both of which use the psychologicial tactic of urgency, impersonation of trusted brands, and the abuse of LiveChat interactions to get customers to give up data. Both chat interactions use poor grammar and punctuation, which suggests that a human operator following a script was on the other end, rather than an automated bot or AI assistant, the researchers noted. The first email uses a refund lure with a spoofed message from PayPal — a top brand impersonated by phishers — claiming the recipient will receive a $200 refund, prompting them to click a "View Transaction Details" button. Doing so redirects the user to a LiveChat-hosted page configured to resemble a legitimate PayPal customer support interaction, where a series of prompts in the conversation with the operator directs them to an external phishing site to "complete the refund process" by entering PayPal credentials.  Once this is done, the victim is then prompted to supply an MFA code sent to their phone, after which the attackers use the phishing site to get them to fill out additional forms collecting billing details, date of birth, and credit card information. Related:The Data Gap: Why Nonprofit Cyber Incidents Go Underreported The second phishing email is not branded, offering a generic message stating that an order is pending and needs confirmation, which the user can do by clicking on the hyperlinked "View Update" text.  This link leads to a page that prompts them to enter an email address to start a chat, only after which a human operator impersonates an Amazon support agent and begins requesting additional persona details from the user. The "agent" then claims that a refund is available but is missing card details, asking the victim to provide a credit card number and its expiration date and CVC for "verification." Disarming Victims Through LiveChat Though phishers have used various tricks throughout the years to get customers to give up data, the campaign is the first time on record that attackers have abused LiveChat in this way, the researchers said. The vector is not unlike an online version of vishing attacks, in which attackers use social engineering and psychological tactics in live conversations with people to get them to give up sensitive data and even let attackers remotely control their devices using tools such as AnyDesk. That personal interaction, which disarms a victim and convinces them that they are in conversation with someone whom they can trust, is the secret to why these types of attacks work, the researchers noted. This "makes the phishing attempt feel like real-time customer service, reducing the victim's caution and increasing the chance of successful credential and data theft," they wrote in the report. Related:Iran MOIS Colludes With Criminals to Boost Cyberattacks Mitigating these attacks requires not only software- or machine-based security but also human-driven analysis that combines "expert-level threat hunters, real-time intelligence, and user reports to identify and stop evolving attacks before they cause harm," according to the researchers. To help defenders identify the LiveChat-driven attacks, the blog post provides specific indicators of compromise (IoCs) for both malicious emails used in the campaign. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE What CISA's Red Team Disarray Means for US Cyber Defenses by Becky Bracken, Senior Editor, Dark Reading MAR 21, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE