Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.
KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”
While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.
Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.
Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:
“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”
Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:
The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.
I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.
PayPal said in a written statement that phishing attempts are common and can take many forms.
“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”
It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.
Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?
The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.
I received a fraudulent invoice from PayPal today. I logged directly into PayPal, and the invoice is there. I didn’t click on any links in the email. I can’t figure out any way to delete the invoice or report it to PayPal since I haven’t paid anything.
Send the email to phishing@paypal.com so they can review it.
Same with me. I called paypal and they just had me forward the email to them. I was concerned because the invoice is also in my paypal account but they said just do not click Pay. I was assured no money would be taken.
I was scammed but
the crook asked for my Social Number. SCAM flag from GREED. I was to the point he had control of my PC. It is now offline.Pay.Pal will never see me again….I am buying a new PC tomorrow. This one is home configured and 10 years old. I do not like laptops (this PC)..
Today I was saved because my account was locked until I get the big PC cleaned. The final fence.
Is this ZELLE thing any safer?
Dick
I received an email in Gmail today that read: FWD: Shipment waiting for you acceptance, we try to get in touch our need for verify by postal officers. An invoice from “Paypal was attached to send $398 to Springfied Armory Inc. or call 910-817-4647 for assistance.
The invoice is not in my PayPal Account. Just reading the email shows me this is a spam. Did not pay anything.
I know who this is. At least I’m 97% sure.
I know who this is. At least I’m 97% sure.
I just received an invoice today and had no clue this scam was happening to people. I really believe it was legitimate, went into my Pay Pal saw the invoice. But instead of calling the website number I called the 1888 number on the email. I was scammed out of close to 10k today, primarily my crypto currency because they tapped into my Coinbase and Cash App accounts after asking me to download the Quick Support app which I did like an idiot and got taken. I should have known better. But this is just to let everyone know please be cautious because thieves are out there preying on your hard earned money.
Sorry about that.. that really sucks.. just got the email tonight and started researching before clicking and yours along with others helped me believe that it was a scam.. So thank you..
Phishers can choose to do a better job of impersonating.
There have been researchers who seem to suggest that phishers actually *choose* / *evolve* not to do a better job.
By not being pixel-perfect in their impersonation, it weeds out the “smarter” audience, leaving only the ones most likely to be tricked and saves the attackers the energy that might be lost in failing to trick that “smarter” audience. Some of those “smarter” folks will actively toy with phishers (as a public service) [1].
That said, I wouldn’t rely on phishers not to do a better job. They do evolve/adjust their tactics over time.
[1] https://mashable.com/article/email-bot-rescam-scam
I have received 4 of these emails. I knew it was BS because I have NEVER opened a PayPal account, and I ignored each email, and deleted them. I have also gotten a bunch of offers from various vendors to get free high dollar retail items, which I never open, but delete after reporting SPAM. I am so glad I researched this and found this article! Thanks!!
my BS detector started when i saw “dear paypal user”
It wasn’t sent to the adress I use for paypal either, so I googled and found this page.
I got two of these on an email address that does not have a paypal account. I was curious about it, because I recognized immediately it was a phish because it didn’t address me by name and of course came to an email address that doesn’t have a paypal account attached to it.
I did look at the headers and the links and marveled at how good most of that looked. The fact that it was missing all the context particulars (like who the invoice was from and addressing me by my name) were dead giveaways but I didn’t know the mechanism for the scam (i didn’t click the links or call the number).
I got one today 09/06/22 with the message: “Kimberly Wischmeyer sent you a money request. We’ve detected that your Pay Pal account has been accessed fraudulently. If you did not make this transaction please call us at 1-888 260 0764 to cancel the and claim a refund. Furthermore, I checked my account and I did not show any record of any transactions, I deleted my account to be sure. I then called the number, and talked with a man who named himself RYAN WILLIAMS, employee number 119320. He attempted to ask me what type of laptop or desktop I was using and then wanted me to install an application called QuickSupport Team Viewer. I already knew it was a Remote desktop viewer type of application. At this point, I started to mess with him, which made him very angry, and he began to yell at me and hung up on me. Talk about good customer service! lol I then got a message on my other email account with the same message, asked to call a different number. Which is strange, because this email I have no PayPal account, therefore, Im not sure why this has happened. When I attempted to log in with this email, no email was found. Maybe someone can help me. thanks
2 emails so far:- INVOICE FROM BITCOIN
This is definitely a LAWSUIT against PAYPAL !!!
I received yet another bogus PayPal invoice today (“Hello, Invoice From Bitcoin Exchange”). What makes this scam so much worse that usual is that it’s an actual feature on paypal.com and the emails are being sent from service@paypal.com. They have not fixed this even though it’s been a known flaw for ~3 weeks or more. PayPal should be liable for any funds stolen from their own users.
Received today with legit paypal headers:
Hello, Invoice From Bitcoin Exchange
Here’s your invoice
Bitcoin Exchange sent you an invoice for $499.99 USD
Due on receipt
Happened to me today and started panicking, it was an 888 number and it just said that I had an invoice ready for 679 … I’m lowkey in debt so idk who they were gonna get it from. So I went on my account. There was a notification, and it showed the invoice on my messages. I then called the PayPal 844 number and they let me know it’s the phishing scam. To not respond and that they are reporting the person as well. They said everything is completely covered but just to know there are alot of scammers getting ready for the holidays.
I received an invoice last night charging me over $2,000 for a MacBook Pro. I ALWAYS use my PayPal for transfers within MY FAMILY only and they de use to scan someone like me who is only trying to get by. I cancelled the invoice, called “customer service” spoke to a “John Thomas” with an accent who said he would take care of it, hung up on me, then all these random invoices for this SAME amount appear in my account as if I GENERATED them. So I immediately changed my password and PIN for higher security
Is anyone doing ANYTHING proactivly on this?
What I mean is…..We should have some Fake PayPal, Facebook, accounts, et al that we can use to send them too
So they get a bunch of Blanked out information
So tired of this….I’m ready to totally disconnect from the World
It Never Ends
I just got a very sophisticated one from “Norton Software” for $700. I logged in and cancelled the invoice. I also changed my password.
Got this today, Sept 13. Is PayPal actually doing anything about it?
Got one today, looked really. I logged in with the PayPal app and there was no invoice. Next I Googled PayPal invoice scam and found this thread! Thanks for posting!
These people got me for several thousand last week. I always have my guard up (I checked the email sender, website certificate and the website was fully functioning) but this one time, they had me in a weak, distracted moment as I was dealing with a recent death in the family. Next thing I know, I was on the phone for 3 hours with my bank account being held hostage unless I did what they said. Once they get you hooked, its a very layered, sophisticated con. I’m still pissed, very embarrassed and looking forward to helping any investigation into this group (that will probably never happened). Be wary people, don’t respond to any email from PayPal.
We were also taken for several thousand yesterday JakeG. We are filing an FBI report and already finding some information out. I would also love to help in any investigation in any way possible.
Happened to me today. The only difference is the email said the fraudulent activity was a Best Buy gift card. When I called the number, the “agent” started asking me questions that made me suspicious, including asking for my computer’s IP address. I don’t normally fall for these scams, but this email really looked legit.
Same thing happened to me today. Got a message from my phone saying this Ronald Siciliano from a Chicago address sent me an invoice for $699.99.
Note below read:
“Seller note to customer
We have detected some suspicious activities with your PayPal account. If you did not make this transaction, please call us at toll free number +1(888) 439-2108 to cancel and claim a refund. If this is not the case, you will be charged $699.99 today. Within the automated deduction of the amount, this transaction will reflect on PayPal activity after 24 hours. Our Service Hours: (06:00 a. m. to 06:00 p. m. Pacific Time, Monday through Friday)”
Knew right away this was a phishing scam as the number did not match the paypal customer service number. I called papypal and they cancelled the transaction. I then changed my password which is crazy because I have a password that is basically impossible to break.
The reader’s email is visible in the screenshot! I think they have to expect more PayPal scam emails coming their way! :-/
Got one of these today. When the “from” email address checked out, I called the number. What should have tipped me off was that the “we’ve detected fraudulent activity on your account” message was under “Message from the Seller” section. Anyway, it didn’t, and I was connected with someone with a heavy accent. But things seemed “off” and when he asked me to download software to remotely control my phone, I bailed. Without having provided any secure info., of course. A follow-up phone call to actual PayPal revealed just what you describe above.
Ugh. So much dishonesty in the world. Sad.