Threat actors have developed a novel approach to phishing by leveraging the customer support platform LiveChat. Researchers from the Cofense Phishing Defense Center (PDC) recently observed a campaign that impersonates Amazon and PayPal. By engaging targeted users through real-time online chat, these operators simulate trusted customer service interactions to gather account credentials, credit card details, multifactor authentication (MFA) codes, and other personally identifiable information (PII).
Cobi Aloia and Mark Deomampo of the Cofense PDC noted in their analysis that phishing threats continue to evolve, making them harder for automated systems to identify. While phishing remains a well-known risk to endpoint security, these campaigns succeed by adopting psychologically effective methods. This specific activity combines brand impersonation, social engineering, and identity misrepresentation in a real-time environment.
Two distinct campaign vectors
Cofense identified two distinct paths within this campaign. Both rely on creating a sense of urgency, impersonating trusted brands, and using LiveChat interactions to request sensitive information. The researchers observed poor grammar and punctuation in both chat interfaces, indicating that human operators following scripts were managing the interactions rather than automated artificial intelligence assistants.
The first vector begins with a deceptive email spoofing PayPal, a brand frequently targeted for impersonation. The message claims the recipient is eligible for a $200 refund and prompts them to click a "View Transaction Details" button. This link directs the user to a LiveChat-hosted page designed to resemble a legitimate PayPal support portal. Through a series of conversational prompts, the operator guides the user to an external credential-harvesting site to "complete the refund process." Once the user submits their PayPal credentials, the site requests an MFA code sent to their mobile device. The operators then prompt the user to complete additional forms requesting billing details, date of birth, and credit card information.
The second vector relies on an unbranded email stating an order is pending and requires confirmation via a "View Update" link. This link opens a page requiring an email address to initiate a chat. At that point, a human operator impersonating an Amazon support agent requests personal details. The operator subsequently claims a refund is available but requires a credit card number, expiration date, and CVC for "verification."
The psychological impact of real-time chat
While social engineering tactics are common, Cofense notes this is the first documented instance of threat actors misusing LiveChat in this specific manner. The approach shares similarities with voice-based phishing (vishing), where malicious actors use live conversations to build trust and persuade individuals to share sensitive data or grant remote device access. The conversational nature of the chat lowers the targeted user's guard by mimicking standard customer service workflows, making the interaction feel routine and safe.
Securing organizations against these evolving campaigns requires a combination of technical controls and human analysis. The researchers recommend pairing software-based security with expert threat hunting, real-time intelligence monitoring, and user reporting mechanisms to identify and intercept unauthorized activity. To assist defenders, Cofense has published specific indicators of compromise (IoCs) for both email vectors associated with this campaign.