I came across an interesting new phishing scam in my personal inbox earlier this week. The scam came in the form of an email from ... paypal.com ... ?
Yep, that's right! I received an invoice from service@paypal.com requesting that I pay a sum of $600 for a gift card for someone who I have never heard of.
This caught me off guard at first. Obviously, I hadn't bought a $600 gift card for a complete stranger, so I suspected phishing right out of the gate. But for a phishing attack like this, I would normally expect the email to come from some random email made up of alphabet soup and coming from a clearly illegitimate domain, and for all the links in the email to refer to similarly illegitimate addresses. But that wasn't the case. The email came from PayPal, and all the buttons and links referred to pages in the PayPal domain. This email looked like a legitimate invoice from PayPal.
I received this email invoice from service@paypal.com, and all the links go to pages in the PayPal domain.
Turns out, it is a legitimate invoice from PayPal! Well, sort of. It is "Legitimate" in the sense that it actually came from PayPal. It is not "legitimate" in the sense that I did not actually buy the thing, nor did I actually owe the money.
After doing a bit of research, I found that this particular scam has been happening since at least 2020, but has been gaining popularity in the past couple months. Basically, the scammers take advantage of a legitimate feature of PayPal, which is the ability for any PayPal user to send an invoice for payment to any other PayPal user. The invoice is, thus, very real. In fact, if the target logs into your actual PayPal account, you might see the invoice there as well, which grants an extra illusion of authenticity to the scam, and might scare people into thinking that they actually owe the money (especially if the email threatens penalties for not paying immediately).
The email actually came from PayPal's domain!
When I logged in, I did not see the invoice in my PayPal account. I believe the reason for this is because this particular invoice was sent out to a group of PayPal users. The others reported it to PayPal as phishing, and so PayPal had probably already removed the fraudulent invoice by the time I had logged in to check it for myself. I even received some of these other user's confused replies directly into my personal email inbox.
This scam relies on the target clicking the link (or logging into their PayPal account) and paying the amount without realizing that it is a fraudulent invoice. If that doesn't work, however, there is a clever backup scam. The emails will usually contain a phone number for either "customer support" or for "cancelling the payment". Since the email actually comes from PayPal's domain, and all the other links and buttons on the email are legitimate, the target might be fooled into thinking that the phone number is also legitimate. It isn't.
If you call this phone number, you will likely be greeted by one of the scammers. The person on the other line will pretend to be PayPal support, and will try to get you to give him access to your PayPal account -- probably by asking you to download some kind of screen-sharing application that will also contain a key-logger. If you download the application and type in your password, the "support" on the other line will be able to harvest that password, and log into your account immediately (or any time in the future) and clear out anything in your PayPal wallet, or spend your real money if the account is linked to your checking account or credit card.
For the record, I did not fall for it. I did not click on the links to pay the invoice, nor did I call the number listed in the email. I learned about the phony support number by reading up about this scam online.
I'm posting this blog in the hopes that it warns other people not to click on the link for these fraudulent (but very legitimate-looking) invoices. I hope that none of my readers fall victim to this -- or any -- scam.