https://krebsonsecurity.com/2022/08/paypal-phishing-scam-uses-invoices-sent-via-paypal/ Advertisement [1] Advertisement [10] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking PayPal Phishing Scam Uses Invoices Sent Via PayPal August 18, 2022 19 Comments Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives -- which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction -- state that the user's account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer. KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message's subject read, "Billing Department of PayPal updated your invoice." [paypalinvoiceupdated] A copy of the phishing message included in the PayPal.com invoice. While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the "View and Pay Invoice" button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com. Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal. Both the email and the invoice state that "there is evidence that your PayPal account has been accessed unlawfully." The message continues: "$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number...." Here's the invoice that popped up when the "View and Pay Invoice" button was clicked: [paypalscaminvoice] The phony PayPal invoice, which was sent and hosted by PayPal.com. The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic "customer service," instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going. I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal's systems -- which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal's anti-abuse (phishing@paypal.com) and media relations teams. PayPal said in a written statement that phishing attempts are common and can take many forms. "We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers," PayPal said. "We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam." It's remarkable how well today's fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It's no accident that one of the most prolific scams going right now -- the Zelle Fraud Scam -- starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions. Also, today's scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all? The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you're unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually -- ideally, using a browser bookmark to avoid potential typosquatting sites. This entry was posted on Thursday 18th of August 2022 11:27 AM A Little Sunshine Latest Warnings Web Fraud 2.0 Paypal PayPal Business PayPayl invoice scam Zelle Fraud Scam Post navigation - When Efforts to Contain a Data Breach Backfire 19 thoughts on "PayPal Phishing Scam Uses Invoices Sent Via PayPal" 1. The Sunshine State August 18, 2022 I've seen these types phishing scams in the last couple of months , the one eight hundred number is being run by VOIP service bandwidth(dot).com and the email is being sent from Gmail/Google. Reply - 2. JamminJ August 18, 2022 "all of the links in the email lead to paypal.com. Hovering over the "View and Pay Invoice" button shows the button indeed wants to load a link at paypal.com" An interesting thing about trusting the "hover over links" method. It may be safe only if the actual email client or webmail site can be trusted. Links in email bodies are just HTML. But if the website itself is malicious, hovering over links can be spoofed. This is done using special javascript functions like "onmousedown", where the link can be one thing, but as soon as you click on it, the dynamic code will intercept the mouse action and change the URL of the link. This can be seen most commonly in Google search results. Hovering over the search result links appears to take users directly to the website. But try a "right-click", and then hover again, and you'll see the link changes. Why? So Google can redirect you to a tracking redirection proxy and record where you are going before your browser sends you there. Reply - 3. Rob August 18, 2022 got one of these purporting to be an invoice from Kapersky - disguised as an auto-renewal today. Err'ed on the side of fraud / bs but seeing your story was a timely reassurance. Reply - 4. Billy Jack August 18, 2022 On another phishing scam going around, I received a text message yesterday that purported to be from yourtexasbenefits.com. I called the nearest Texas Health and Human Services office and talked to them. The woman I talked to said that there is a scam going around where the scammer is trying to get people's PIN numbers. I read the text message to her and she said that it didn't sound like anything they would ever send. Reply - 5. Daniel D.Teoli Jr. August 18, 2022 Good report...Thanks! Next time record the phone conversation with the scammer and upload to the I.A.. Go the distance. Reply - 6. Jen zatoth August 18, 2022 I had an invoice for $699.00 with the number. It was an actual invoice sent through PayPal and generated the PayPal email alert for invoices. I looked up the PayPal and contacted PayPal (after hitting 0 several times on the automated menu) and the agent said people are abusing the invoicing feature. He requested forwarding the email alert to phishing@paypal[dot]com and top delete or cancel the fraudulent invoice. Reply - 7. K A August 18, 2022 Two timely reminders: 1. Bookmark all important sites (email, banks, etc.) - just never click email or text links, go to bookmarks instead. 2. Similarto (1) - just never call phone numbers coming from emails or texts. Go to contacts/address book instead. I always sign onto my computer as a 'standard' user - not admin. I use Firefox and I have a "profile" for emails and financial websites - separate from general browsing. Within my email/ financial profile, I have NoScript to whitelist only my specific email/financial websites. The browser is also set to deny all cookies except for my specific email/financial websites. On the offchance that I clicked an email link... there's a good chance nothing will happen - nothing will be automatically downloaded and nothing will automatically execute. Reply - 8. SBK August 18, 2022 Last week I had several texts and phone calls purportedly from my bank saying there was suspicious activity on my card. Called the main number and they saw nothing unusual and did not recognize the number I was asked to call. The messages had the last 4 digits so I cancelled the card and they printed a new one at a nearby branch. Calls stopped as soon as I cancelled the card. ALWAYS call a number you know not the one in messages. Reply - 9. Gail Jones August 18, 2022 I have recieved many of these. I did call once but never sent any info. Reply - 10. Darryl August 18, 2022 I received one of these last week around the time this made the rounds on Twitter. Instead of, "Seller note to customer," mine read, "A note from PayPal" which seemed a fair bit more convincing. Reply - 11. RickH August 18, 2022 Got one of those today. First glance, looked legit. But not, of course. My PayPal address is where the email was received. I analyzed the mail headers, and the DMARC and SPF records pointed to a few paypal domains, and then the last one was not. I can forward the link to the mail header analysis page (on the mxtoolbo(dot)com site if you want. Sent it to my spam folder and reported to the gmail folks. Reply - 12. Ed August 18, 2022 I too just received a similar email yesterday. Since these fraudulent invoices are actually coming from PayPal, PayPal should not allow senders of invoices to have the ability to modify the business name which is what has been changed to "Billing Department of PayPal." It is very simple for unsuspecting people to be tricked as they see the legitimate email coming from PayPal with the spoofed business name and the spoofed logo. The sender of my fraudulent invoice unwisely included all of his actual contact information including home address and email. I would like to report him directly but I'm not sure if he himself might be also be the victim of his PayPal account being hacked and then the actual perpetrator attempting to send the fraudulent invoices from that account. Reply - 13. John Rocket August 18, 2022 forward the email to the carrier for the number they want you to call, the carrier should shut the number down To find out who the carrier is https://www.ipqualityscore.com/free-carrier-lookup Reply - 14. Charles Bradley August 18, 2022 I called the 800 number, figuring this was a scam, and got into a heated argument with the male on the other end and he finally told me to "F**k off!" and hung up on me. Yeah, they're professional idiots!! Reply - 1. K A August 18, 2022 I just can't be bothered wasting my time with spammers/ hackers/touts. But reading your thread gave me an idea: Next time I get one of these, I'll forward them to Youtubers who specialize in toying with spammers and touts! Reply - 15. David Howland August 18, 2022 I got one of these a few weeks ago and it confused the hell out of me. It was a legit Paypal email but of course logging into my Paypal account showed no invoice. It had me worried because I'm sure my parents would have fallen for it. Reply - 16. Craig August 18, 2022 I get dozens of these a week to personal emails, and see hundreds that get reported sent to work email of my organization. Reply - 17. Roger McCoy August 18, 2022 I received three of this same email over the last month. I forwarded them all to Paypal for them to investigate. They never replied. They were the most convincing phishing attempts I have ever seen. All the links went back to Paypal's website. Very convincing. The only giveaway was the 800 number did not match and the heading said dear Paypal user. Paypal will always address you by your user name. Reply - 18. Oscar Harris August 18, 2022 This is not right I lost that money Reply - Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment * [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] D[ ] Advertisement [12] Advertisement Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * PayPal Phishing Scam Uses Invoices Sent Via PayPal * When Efforts to Contain a Data Breach Backfire * Sounding the Alarm on Emergency Alert System Flaws * It Might Be Our Data, But It's Not Our Breach * The Security Pros and Cons of Using Email Aliases Spam Nation Spam Nation A New York Times Bestseller! Thinking of a Cybersecurity Career? Thinking of a Cybersecurity Career? Read this. All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * Employment Fraud * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Russia's War on Ukraine * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Why Paper Receipts are Money at the Drive-Thru (530) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security