August 18, 2022

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

A copy of the phishing message included in the PayPal.com invoice.

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:

The phony PayPal invoice, which was sent and hosted by PayPal.com.

The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.

I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.

PayPal said in a written statement that phishing attempts are common and can take many forms.

“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”

It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.

Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.


131 thoughts on “PayPal Phishing Scam Uses Invoices Sent Via PayPal

  1. The Sunshine State

    I’ve seen these types phishing scams in the last couple of months , the one eight hundred number is being run by VOIP service bandwidth(dot).com and the email is being sent from Gmail/Google.

    1. Tasha

      I was scammed out of $750 from someone on paypal and I never got my money back. This has been like March of this year. The emails looked like paypal documents but apparently were not.

    2. wired420

      Bandwidth dot com is the scammers voip service of choice in the USA. Try to report abuse to them. They’ll just claim it’s not their phone number even though their name is on it. Company is run by crooks as bad as the scammers

      1. BajaFresh

        And, unfortunately, if the carriers just stopped blocking Bandwidth.com, anyone who uses Google Voice loses.

      2. Wynne

        Great tip. Thanks. Hopefully the people in comments are reading this!

      3. an_n

        It’s possible they sublease a range in question and are correct in telling you that.
        Most companies don’t do hard investigations into abuse until absolutely forced to.

  2. JamminJ

    “all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com”

    An interesting thing about trusting the “hover over links” method. It may be safe only if the actual email client or webmail site can be trusted. Links in email bodies are just HTML. But if the website itself is malicious, hovering over links can be spoofed.
    This is done using special javascript functions like “onmousedown”, where the link can be one thing, but as soon as you click on it, the dynamic code will intercept the mouse action and change the URL of the link.
    This can be seen most commonly in Google search results. Hovering over the search result links appears to take users directly to the website. But try a “right-click”, and then hover again, and you’ll see the link changes. Why? So Google can redirect you to a tracking redirection proxy and record where you are going before your browser sends you there.

    1. Soysauce

      Wow that is interesting about the Google search results. Funny enough, doing that in Chrome doesn’t reveal the tracking redirection proxy, but Firefox will show it.

      1. JamminJ

        Yeah, Chrome is made by Google, so they have an easier way to track user’s as they navigate, the “ping” HTML5 method. Basically does their tracking without redirection.

        1. Soysauce

          I tested this out on Bing and DuckDuckGo. Bing doesn’t even try to hide the fact that it redirects you. DuckDuckGo is legit in what they’re selling and I don’t see a redirection URL.

  3. Rob

    got one of these purporting to be an invoice from Kapersky – disguised as an auto-renewal today. Err’ed on the side of fraud / bs but seeing your story was a timely reassurance.

  4. Billy Jack

    On another phishing scam going around, I received a text message yesterday that purported to be from yourtexasbenefits.com. I called the nearest Texas Health and Human Services office and talked to them. The woman I talked to said that there is a scam going around where the scammer is trying to get people’s PIN numbers. I read the text message to her and she said that it didn’t sound like anything they would ever send.

  5. Jen zatoth

    I had an invoice for $699.00 with the number. It was an actual invoice sent through PayPal and generated the PayPal email alert for invoices. I looked up the PayPal and contacted PayPal (after hitting 0 several times on the automated menu) and the agent said people are abusing the invoicing feature. He requested forwarding the email alert to phishing@paypal[dot]com and top delete or cancel the fraudulent invoice.

  6. Catwhisperer

    My question is: Did the person acting as customer service have a Mumbai or Lahore British accent. It seems that is happening a lot lately with all kinds of scam calls. Everything from auto warranty cold calls to, now, cold calls from Medicare, ALL have that distinctive accent that lets the cat out of the bag. So they all get to talk to my virtual assistant Mr. Howley. He loves to chat…

    Mr. Howley can be your assistant too. He lives on YouTube, LOL!
    https://www.youtube.com/watch?v=PYar0dkZ6v8

    1. Linden

      Seriously? A link to YouTube? Go back to Facebook. Geez, why don’t you just post the link to the scamming site directly, too, so readers don’t have to wait for their scammy email. I’m surprised Krebs Security allows links. The sure won’t let me make more than 1 comment!

      1. mealy

        He selectively allows links and there is a delay in approving them as there needs to be.
        But you don’t need to post an actual link to post the relevant parts of the URL anyway.
        A link is more dangerous than a segmented www dot domain dot com.

  7. K A

    Two timely reminders:

    1. Bookmark all important sites (email, banks, etc.) – just never click email or text links, go to bookmarks instead.
    2. Similarto (1) – just never call phone numbers coming from emails or texts. Go to contacts/address book instead.

    I always sign onto my computer as a ‘standard’ user – not admin. I use Firefox and I have a “profile” for emails and financial websites – separate from general browsing. Within my email/financial profile, I have NoScript to whitelist only my specific email/financial websites. The browser is also set to deny all cookies except for my specific email/financial websites. On the offchance that I clicked an email link… there’s a good chance nothing will happen – nothing will be automatically downloaded and nothing will automatically execute.

  8. SBK

    Last week I had several texts and phone calls purportedly from my bank saying there was suspicious activity on my card. Called the main number and they saw nothing unusual and did not recognize the number I was asked to call. The messages had the last 4 digits so I cancelled the card and they printed a new one at a nearby branch. Calls stopped as soon as I cancelled the card. ALWAYS call a number you know not the one in messages.

  9. Darryl

    I received one of these last week around the time this made the rounds on Twitter. Instead of, “Seller note to customer,” mine read, “A note from PayPal” which seemed a fair bit more convincing.

  10. RickH

    Got one of those today. First glance, looked legit. But not, of course. My PayPal address is where the email was received.

    I analyzed the mail headers, and the DMARC and SPF records pointed to a few paypal domains, and then the last one was not. I can forward the link to the mail header analysis page (on the mxtoolbo(dot)com site if you want.

    Sent it to my spam folder and reported to the gmail folks.

  11. Steven P

    I received one of these for an iPhone. I didn’t click on any of the links in the email but just logged directly into my PayPal account. The invoice was there. I looked for a good 15 minutes or so to find out how to report the invoice and state categorically that I didn’t order any iPhone. I did some research and found out these scams happen every once in a while. I couldn’t find anyway to report it to PayPal, so I just ignored it.

    PayPal is pretty useless for buyer protection. I had a dispute with a vendor and PayPal just kept taking the seller’s side. I finally disputed the charge with my credit card company. I finally won, but it was a major hassle. I would never leave money in a PayPal account or use a debit card for transactions.

  12. Ed

    I too just received a similar email yesterday. Since these fraudulent invoices are actually coming from PayPal, PayPal should not allow senders of invoices to have the ability to modify the business name which is what has been changed to “Billing Department of PayPal.” It is very simple for unsuspecting people to be tricked as they see the legitimate email coming from PayPal with the spoofed business name and the spoofed logo.

    The sender of my fraudulent invoice unwisely included all of his actual contact information including home address and email. I would like to report him directly but I’m not sure if he himself might be also be the victim of his PayPal account being hacked and then the actual perpetrator attempting to send the fraudulent invoices from that account.

  13. Charles Bradley

    I called the 800 number, figuring this was a scam, and got into a heated argument with the male on the other end and he finally told me to “F**k off!” and hung up on me. Yeah, they’re professional idiots!!

    1. K A

      I just can’t be bothered wasting my time with spammers/hackers/touts. But reading your thread gave me an idea: Next time I get one of these, I’ll forward them to Youtubers who specialize in toying with spammers and touts!

      1. AM

        One of the most well known YT’rs is Pierogi / Scammer Payback. He has an address to forward scam emails to.
        scammerpaybacktipline [at] gmail [dot] com

        1. an_n

          This does fit the profile of the Calcutta operation.

    2. Dawn Porto

      Haha obviously they were pissed off that they didn’t get you! Good for you!

  14. David Howland

    I got one of these a few weeks ago and it confused the hell out of me. It was a legit Paypal email but of course logging into my Paypal account showed no invoice. It had me worried because I’m sure my parents would have fallen for it.

  15. Craig

    I get dozens of these a week to personal emails, and see hundreds that get reported sent to work email of my organization.

  16. Roger McCoy

    I received three of this same email over the last month. I forwarded them all to Paypal for them to investigate. They never replied. They were the most convincing phishing attempts I have ever seen. All the links went back to Paypal‘s website. Very convincing. The only giveaway was the 800 number did not match and the heading said dear Paypal user. Paypal will always address you by your user name.

  17. MD

    Just got one of these today. Smelled fishy.

    Details as described in this excellent article.

    Stay alert, folks!

  18. Tj fletcher

    I’ve never gotten $600 from you guys ever somebody might have been using my account or something I don’t know but I never got no money from you guys

  19. Catherine Maddox

    Yes I just literally chatted with PayPal on my account app plus email address associated with my PayPal account and told them the same thing the only thing different was the amount which was $750 but yes everyone please be safe out there not only on the streets but everywhere including the internet phone everywhere

  20. Michael Bertrand

    I get these also they are always trying to scam me

  21. Sandra Strauss

    I have received three emails regarding invoices for $499.99 each. I did not respond or call the number in the emails. i have not used my account in a very long time.

  22. Lindy

    I got an invoice from PayPal.
    First… I haven’t bought anything through Paypal in ages ( just a donation to some guy named Krebs)
    Second… I don’t buy crypto so…. no worries.
    But I did take a look at the raw source of the email…. it was from
    ( I changed the digits so don’t bother with it) but does that look like an address from PayPal!!!?
    I feel really badly for people who freak out when they see an invoice for $500 and click to make them “stop the order.”
    Thanks Brian…. always terrific.

  23. MJC

    There are similar scam emails circulating using Intuit’s QuickBooks invoice system, even coming from an intuit.com address.

  24. IT Xpress

    We’re seeing the exact same thing via QuickBooks Online. The email, invoices, and information look 100% legitimate. Just the 800 number is bogus. Genius way to evade newer anti phishing tech TBH.

  25. Wynne

    Thanks. Hopefully the people in comments are reading this! Its a good tip and no links to YouTube! YAY!

  26. Cary

    Be nice if there was a like button!

    Good grief Krebs is telling me I’m commenting too quickly, and also I’m posting duplicate comments. Why don’t they also stop people from posting YouTube links in comments?

Comments are closed.