Security Tip – PayPal Request Scam

There has been an increase in the number of scam emails originating from PayPal. In these instances, the target victim receives an email about a transaction that requires payment. The transaction usually lists some expensive item or items and is meant to invoke a sense of panic due to the transaction amount. The details of this request include a phone number that the customer should call if the transaction is suspicious.

The catch is that the scammer includes a phone number to call to cancel the transaction. If the victim were to call to check on the transaction or attempt to cancel it, they would instead be contacting the scammer. The scammer then tries to exploit the victim in various ways, usually by collecting information or getting access to the victim's machine. The unique component of these scams is that the emails are delivered by a legitimate PayPal email address and server as part of a payment request or invoice. These may initially pass some email filters and the typical user due diligence such as checking the "From" address. Outlook and Hotmail actually mark the mail as originating from a Trusted sender, adding further legitimacy to the email. This isn't an error on Microsoft's end, the email is legitimately originating from PayPal, but this results in a false sense of security for the victim, which is why this scam has been effective. An example email is shown below:

Payment request email received and "trusted" by Microsoft

Scam Breakdown

Let’s look at how this works and what to look out for. I’ll use my PayPal accounts and email addresses to demonstrate how this scam is being performed. I’m using details from a legitimate scam email that I recently received as the premise for this demonstration.

A scammer needs a PayPal username or an email address associated with a PayPal account. From there, they can create an invoice showing the items purchased and other details about the “transaction.” The invoice creation screen contains a “Message to customer” textbox where the scammer can enter the alert message stating that the customer should call the number provided if the transaction is invalid. All of the details for the invoice, including the business name, can be easily spoofed by the scammer. See the example invoice below, where an invoice is being created by “Apple Inc.” for an iPhone 14. The “Message to customer” field contains the note displayed when the email is delivered and includes the phone number to call if there are questions or concerns.

Using PayPal to craft a fake invoice

What To Do?

There aren’t any specific actions that are required to be taken in these instances. The payment request is just that, a request. The scammer cannot force the transaction payment, and you don’t have to cancel anything. In fact, PayPal includes a blurb after the seller’s message stating as much, though it comes after all of the concerning information, so it is easily overlooked.

PayPal alert about ignoring unknown sellers

So if you’ve received an email like this, or know anyone that has, let them know they can safely delete the email without having to take any additional actions. Stay diligent!

#cybersecurity #infosec #scamaware #scams