In most cases, it's pretty easy to recognize a
phishing scam. Telltale signs include typos, bad grammar, unsolicited attachments, and spoofed email addresses and hyperlinks, to name just a few. So imagine my surprise when I received an email that exhibited none of those traits, at least not initially, in an attempt to swindle me out of $479 in PayPal funds. Here's how the clever scam works.
I received an email from PayPay with the subject line, "Billing Department updated your invoice" followed by an invoice number (which I'll refrain from sharing to avoid being targeted as an active recipient). This was repeated inside the email, along with an estimate amount of $479 and a link to "View Your Estimate" on my PayPal account. The supposed charge claimed it was made to Coinbase, which is notable given that
PayPal dabbles in cryptocurrency.
My gut reaction was that this was a phishing email with a spoofed email header and hidden URL. But when I checked both, the email did in fact come from PayPal, and the URL linked to a real invoice on my actual PayPal account, and not a fraudulent website designed to trick me into coughing up my login credentials.
If you receive a PayPal invoice like this, ignore it.
My next thought was that my account had already been compromised, and I would have to go through the headache of changing my password and attempting to reverse a fraudulent charge. And that's what gives this scam a clever twist. It passes the initial sniff test of a traditional phishing scam and uses PayPal's own billing mechanism against the user.
If you look at the seller note at the bottom, it instructs the potentially unknowing victim into calling a help desk number to cancel the transaction. Therein lies the hook or trap—the phone number is not associated with PayPal. Knowing this, I decided to call the number anyway to find out how the scam works.
A woman answered simply as “PayPal,” followed by an urging to approve the bogus invoice payment.
She was surprisingly open about the scam once pressed, most likely because it’s a war of attrition on their part and it didn’t make sense to keep the ruse going once the jig was up.
So that’s how it works in a nutshell. Savvy users are not likely to fall for this in its entirety, but like me, you can probably think of several people who would. Fortunately, PayPal attaches a warning to these types of invoices, as shown in the image above.
"Don't know this seller? You can safely ignore this estimate if you're not buying anything from this seller," the note reads. "PayPal won't ask you to call or send texts to phone numbers in an estimate. We don't ask for your credentials or auto-debit money from your account against any estimates. Contact us if you're still not sure."
Ignoring an invoice, real or fraudulent, goes against my mental reflexes but in this case it's the proper thing to do. Don't click the "Accept the Estimate" button and don't call the number.