August 18, 2022

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. The missives — which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction — state that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

KrebsOnSecurity recently heard from a reader who received an email from paypal.com that he immediately suspected was phony. The message’s subject read, “Billing Department of PayPal updated your invoice.”

A copy of the phishing message included in the PayPal.com invoice.

While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to paypal.com. Hovering over the “View and Pay Invoice” button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com.

Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.

Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked:

The phony PayPal invoice, which was sent and hosted by PayPal.com.

The reader who shared this phishing email said he logged into his PayPal account and could find no signs of the invoice in question. A call to the toll-free number listed in the invoice was received by a man who answered the phone as generic “customer service,” instead of trying to spoof PayPal or Walmart. Very quickly into the conversation he suggested visiting a site called globalquicksupport[.]com to download a remote administration tool. It was clear then where the rest of this call was going.

I can see this scam tricking a great many people, especially since both the email and invoice are sent through PayPal’s systems — which practically guarantees that the message will be successfully delivered. The invoices appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above. Details of this scam were shared Wednesday with PayPal’s anti-abuse (phishing@paypal.com) and media relations teams.

PayPal said in a written statement that phishing attempts are common and can take many forms.

“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”

It’s remarkable how well today’s fraudsters have adapted to hijacking the very same tools that financial institutions have long used to make their customers feel safe transacting online. It’s no accident that one of the most prolific scams going right now — the Zelle Fraud Scam — starts with a text message about an unauthorized payment that appears to come from your bank. After all, financial institutions have spent years encouraging customers to sign up for mobile alerts via SMS about suspicious transactions, and to expect the occasional inbound call about possibly fraudulent transactions.

Also, today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.


131 thoughts on “PayPal Phishing Scam Uses Invoices Sent Via PayPal

  1. Wayne

    I can see my dad falling for this, as he has fallen for a couple of other scams. Fortunately he hasn’t lost any money – yet.

    1. Eggs Erroneous

      A notice from the actual Pay Pal will have the customer’s name and not a generic “to whom it may concern” for the person they writing.

    2. Ryan

      I could see my dad falling for it too. It’s sad because the older generation is mostly unaware of email phishing scams such as this one. We have to make sure when we notice things like this that we actually take a couple of minutes to make older individuals aware, and to warn them of what they access from their emails. What if the money they are able to scam out of us is the same money used to pay the bills? Now the bills are not getting paid because of a lack of awareness. Let’s never allow our growth of knowledge to become a stumbling block for our outreach. We have to care for others, or the knowledge we have will cause us to become hardened and numb towards others.

  2. Bama

    I got one of those emails too. I didn’t click on anything in the email. I logged into my PayPal and there was nothing in my account to confirm the email. Knew it was a scam. I deleted the email.

  3. Sandra Webster

    Is it anything you can do about this because I think that my account has been hacked

    1. Stefano Sandano

      If you use aol as email provider, you may have received those type of messages. I highly recommend to migrate to Gmail instead. I doubt that Google will let those type of messages get to your inbox.

      1. Peter S.

        I got the exact one in this article to my Gmail just now. The email is legitimately sent from the service@paypal.com email so Google doesn’t flag it at all.

  4. Art R

    There seems to be a stereotype that older people are the most susceptible to these scams. I have read on several occasions the most likely group is actually the 20-30’s. But, since they don’t have as much money, they don’t make the popular press. Unfortunately, I can’t find the references to those articles.

    1. Jerry Atrick

      That sounds like something an older person might say

      1. Melanie

        And that sounds like something an ignorant younger person micht say….come on…we can do better than this

  5. Oh noes

    “Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.”

    Looking at the header, the email was sent by:
    Received: from mx0.slc.paypal.com (mx0.slc.paypal.com. [173.0.84.225])

    Two things. First, paypal’s SPF record is set for SOFTFAIL (the ‘~all’ at the end of the record):

    v=spf1 include:pp._spf.paypal.com include:3ph1._spf.paypal.com include:3ph2._spf.paypal.com include:3ph3._spf.paypal.com include:3ph4._spf.paypal.com include:3ph5._spf.paypal.com include:aspmx.pardot.com ~all

    which means anyone can spoof their email. I think google servers and others fail these via their anti-spam/phishing rules but end users using less well protected email servers would be vulnerable.

    Second, according to the header, this email really did come from paypal. No intermediary servers, straight from paypal to google. Not a usual spoofed/misspelled domain phishing email, the attackers used a paypal server.

    My reading of this (as a recently retired systems admin) is either that paypal has/had an actual intrusion or vulnerability that allowed attackers to use their infrastructure or they had malicious staff performing the attack. So, after fixing the fault (and hopefully publicly reporting what happened) they should also set their SPF records to FAIL non-authorized server addresses.

    1. Email Dude

      “First, paypal’s SPF record is set for SOFTFAIL (the ‘~all’ at the end of the record): ….. which means anyone can spoof their email.”

      This statement is incorrect.

      Paypal has a DMARC policy of reject, so any failure of SPF, regardless of soft or hardfail is irrelevant. For all intents and purposes, if an email fails SPF authentication or alignment, it will fail DMARC checks for SPF, which only leaves DKIM for authentication, if a valid and aligned signature is available on the message.

      So, no, anyone can *not* spoof their email; Assuming of course the targeted receiver respects published DMARC policies, but that’s an entirely different problem related to RFC interpretation.

  6. Patricia Ross

    I almost got taken for $10,600 but was able to get UPS to intercept the package before it reached its destination and I got my money back. In retrospect, there were red flags everywhere, but . . . I was frazzled at the time, the “actor” was very good at giving me the sob story of losing his job if I didn’t help, and it was almost hypnotic once I was hooked. Fortunately I only lost the cost of shipping the package, but it could have been much more disastrous. This is a link to a video that shows how much of a BILLION DOLLAR BUSINESS this is and how some people are fighting it! Important to watch!
    https://youtu.be/x3LJZyih3Ac

  7. Patricia Ross

    Also, the blue bar at the top of the “Invoice Updated” ostensibly from PayPal is a solid blue line in the fake document. With an authentic PayPal document that has the blue bar across the top, there’s a scoop out of the line right in the middle under “P.” Also PayPal will always address you by your name, not “Hello PayPal user.”

  8. TODD D LAIRD

    i recieved a text from scammers claiming to be Amazon and if i didnt call them my account would be billed for a $1100 for a digital camera so i call them knowing full well they were bozos and low and behold the “rep”who answered the call HAD AN INDIAN ACCENT,i put my phone on my work bench at my shop and took a 5lb hammer and hit the table next to the phone and i have tested this method with workmates and its ear splitting ,i then used a a mouth full of extremely bigoted salad of choice words ,lets be real here I REMEMBER THE 70’SWHEN PLANES WERE HI=JACKED ALOT AND 99%OF THOSE WERE ARABS AND SCAMMING CALL CENTERES ARE INDIAN,

    1. an_n

      This is idiotic if you’re going based on an accent.

      1. JEREMY

        I’m getting Messages from PayPal and I did not create an account with them somebody else used my Gmail and created themselves a PayPal account and they used a cellphone number similar to mine. Would like PayPal to stop sending me messages I did not even create an account with them.

      2. Nathar

        When a Bayesian algorithm does it, its science.
        When a human does it, it’s idiotic.

  9. Dont B Stupid

    Don’t u think that PayPal should be responsible for this, especially if someone loose there money.
    It’s very convenient for PayPal to use this method to make money..ooo, we are really sorry for this but u loose all your money

    1. Mahhn

      lol you are nuts. If some criminal sends a bill to someone and uses YOUR NAME as the billing company – should YOU be responsible to pay them back? yeah, I didn’t’ think so.

      Use pay pal, amazon, crypto – you are taking risk, your choice. yes, I live in a cave and keep my money under my rock bed.

  10. JG

    Didn’t receive an email, yet, but I did receive a scammy text message about PayPal. The sad thing is that the spelling and grammar were so bad, it was blatantly obvious that it was a scam.

  11. J

    Quickbooks has three servers to send invoices that are used by these hackers to send massive quantities of these emails. I have provided them with very specific examples a even a phone call to the scammers in which they claim to be from Paypal. Quickbooks just does not understand the impact of the server flaw. I did not include the link (figuring it would be blocked)here but there is a months long blog with all of the details search for “invoices spam blacklisted”. Really frustrating!

  12. Orin

    Thanks very much for this update. I received 2 such emails, just like the one you show. When I clicked on the link it went to a page that said “invoice no longer available”. When I called the number in the message, I got a recorded message saying that the called party was not available. I thought I was savvy about these scams but this one nearly had me pulled in!

  13. Antonio c Michel

    Deleting me into believing that I’m going to get my money from them and I never do they tricked me into giving them the donations that I’ve acquired through helping other public places to do fundraisers and they gave me like no joke $5 million dollars which PayPal talk me into giving back to them as a payment so that I’m able to use their their system or just PayPal to make payments in my business and then they still locked me out and didn’t let me get to use it so yeah I totally agree and I’ve been writing about them for a long time already because they’ve been holding my money for more than 3 years and I can’t seem to get it out

  14. Carmilota Guinohon Mosarta

    I have a question my fiance sending 2000 dollar to my PayPal account but sudenly he said please buy worth of 100dollar of iTunes card to reflect the money in your account..

    1. Helpful Clippy

      Hey, this request for gift cards is always a scam, that 2k is going to disappear. Don’t send anything, talk to your fiancee about it in person.

      1. No gifto cardolos

        The very INSTANT anyone ever mentions “GIFT CARDS” hang right on up.
        That’s the #1 tell in the game. No, Grandma does not need 1000 gift cards!
        No, your daughter is not injured in the hospital requesting GIFT CARDS!
        No!

    2. Ordinary Person

      This is a scam, I’m very very sorry to say. Talk to your family about it, or to friends of yours you know in real life. If your fiance is doing this, I’m sorry to ask but have you only talked to him online? He’s a scammer in that case, he only wants your money not your love. I’m truly sorry to say this.

  15. Brad

    I called and was told to go to join.zoho.com. I told them I would not. Then they hung up on me.

  16. Rob A

    I got two today but they were from a Gmail account. Nice try

  17. RandyB

    I received two of these “Invoice” notices. I ran them through PayPal’s automated spam check tool via the chatbot. It comes back from their OWN system as “Don’t worry, that e-mail is from us.” smh

  18. David Ramirez

    It’s worrying because if you are in a rush you can fall easily for this scam or even more people that are more vulnerable.

  19. anamaria

    I am constantly clearing my spam folder of these types of messages, maybe between 5-10 daily. My 72 year old mother is also constantly opening them on her account and panicking. I am starting to see them from other sites/services now, such as EBay, Norton, and most recent Geek Squad. I know my email has been sold/hacked, I just cant bother to set up another.

    1. mealy

      If you can’t bother to set up another you are asking for it. Bother or be bothered.

    2. Ryan

      That is important to realize that our spam folder should be cleared as well. We never know if we have left our email logged in at home, or at work, and someone comes behind us and starts to access different parts of our emails. This can bring a virus or malware in to infect our PCs as well. All in all let us be kind and vigilant to notice this, spread the awareness, and protect what little privacy we still have. Along with the privacy protection we have to protect our finances from being stolen fraudulently. God is good

      1. huh?

        If you’re logged into your email and leave a public terminal, you’re saying people are going to go into your spam folder and click things? What? Explain.

  20. Daniel Way

    We should stop blaming victims and accusing them of being greedy; I wasn’t greedy and I’m pretty smart, but I still fell victim and was only saved by expertise on reversalpro c0m. I was fortunate, but there are many other victims out there who have been completely destroyed and are helpless.

  21. Ryan

    This type of phishing scam hit home because I actually received an email like this one and immediately knew it was a phishing scam. I clicked the link and saw multiple discrepancies in the body message. This scam can easily deceive individuals who are not privy of email phishing attacks and can deceive them into releasing potentially sensitive information. The vulnerability of this phishing scam was discovered because the scam was shared with PayPal’s anti-abuse, and media relations teams. These scammers were able to pass all email checks and have this email sent to many PayPal users from an actual PayPal email address. Let’s take a moment to realize how much fraud is taking the world by storm digitally and realize that we need to be vigilant at all times while on our devices, and stay up-to-date the best we can with fraudulent activity. We can risk losing money, giving up our identity, our location, or even allowing a threat actor to access our network on a continuous basis. Along with staying aware of internet scams we should implement protection from proper software and hardware. This would be a secure investment considering most of our financial and communicative activity is done on the network now.

  22. Emily McKay

    I got one of these and when I logged on, it WAS in my PayPal account as a Pending payment to be paid today. The bogus phone number and the other text were right there under the pending $800 charge (4 i-tune gift cards). Fortunately the number was busy and didn’t look like a toll-free number, but there it was in my PayPal account online. Eventually got a PayPal help line human being by phone who said it would be removed but was unsuccessful in removing it while I waited. She indicated their tech staff was working on this current version of the fraud.

  23. Jon

    The most recent PayPal phishing scam is almost genius on the attacker’s part. The scammers created a convincing email with a detailed website, basic user information, and a clickable website that has PayPal as the actual URL. There are some problems with the email. Including grammatical errors, a phone number not linked to PayPal, and different hours compared to PayPal’s actual customer service department. Regardless, the account within the email is a legit PayPal account. The tactics are to get the victim to download a program that allows remote access with unlimited control to the end device. With this kind of access, the meager $600 lie is nothing compared to stealing all saved data on the victim’s computer. Ways that you can avoid this scam is to verify all information provided in the email. Clicking any of the items within the phishing email can create more problems. The task of searching the phone number on Google and checking directly with PayPal can help avoid any unwanted attacks. Additionally, continuous vigilance in an ever-changing world of attackers will be your best course of action. I expect phishing scams like this will continue to evolve and become almost perfect clones of the existing websites attackers claim to be.

  24. Yusney Contrera

    I have seen this kind of scam before, the invoices are not fake at all, they are real Paypal invoices created by malicious actors, they can mimic well known websites to trick you such as Amazon , Apple….. The best way to spot a scam is to look for grammatical errors, sometimes they are not addressed by name , they request money, or promise easy and lucrative rewards or penalty.

  25. Yusney Contrera

    I have seen this kind of scam before. In fact this invoice is not technically fake , because it was created with a businesses Paypal account by a malicious actor. The best way to be safe for this kind of scams is to be very aware when we receive an email or message that has grammatical errors , is asking you to pay money , it guaranteed you free money or a penalty if you do not pay. If you are not sure , close the app and contact support directly in the paypal website.

  26. Carl de Prado

    In the enterprise space, we have written controls that prevent things like this from happening called WISPs. It is come to a point that individuals need the same types of protections to prevent such thieft.

  27. Carl de Prado

    In the enterprise space, we have written controls that prevent things like this from happening called WISPs. It comes to a point that individuals need the same types of protections to prevent such theft.

  28. Timmy Open

    What a great article! This site is so jam-packed with valuable information that I can’t wait to delve in and use the tools you’ve provided. I have a similar piece that will undoubtedly be helpful. Click Here to check it out

  29. Melanie

    And that sounds like something an ignorant younger person micht say….come on…we can do better than this

Comments are closed.