I came across an interesting new phishing scam in my personal inbox earlier this week. The scam came in the form of an email from ... paypal.com ... ?
Yep, that's right! I received an invoice from service@paypal.com requesting that I pay a sum of $600 for a gift card for someone who I have never heard of.
This caught me off guard at first. Obviously, I hadn't bought a $600 gift card for a complete stranger, so I suspected phishing right out of the gate. But for a phishing attack like this, I would normally expect the email to come from some random email made up of alphabet soup and coming from a clearly illegitimate domain, and for all the links in the email to refer to similarly illegitimate addresses. But that wasn't the case. The email came from PayPal, and all the buttons and links referred to pages in the PayPal domain. This email looked like a legitimate invoice from PayPal.
I received this email invoice from service@paypal.com, and all the links go to pages in the PayPal domain.
Turns out, it is a legitimate invoice from PayPal! Well, sort of. It is "Legitimate" in the sense that it actually came from PayPal. It is not "legitimate" in the sense that I did not actually buy the thing, nor did I actually owe the money.
After doing a bit of research, I found that this particular scam has been happening since at least 2020, but has been gaining popularity in the past couple months. Basically, the scammers take advantage of a legitimate feature of PayPal, which is the ability for any PayPal user to send an invoice for payment to any other PayPal user. The invoice is, thus, very real. In fact, if the target logs into your actual PayPal account, you might see the invoice there as well, which grants an extra illusion of authenticity to the scam, and might scare people into thinking that they actually owe the money (especially if the email threatens penalties for not paying immediately).
[More]