Scammers are always looking for new ways to steal your personal data or money, and in recent months an exploit in PayPal’s billing system has been used to create some compelling phishing messages.
How does the scam work?
PayPal allows sellers to create invoices, which can then be sent to a customer’s PayPal account to pay for a product or service. However, PayPal doesn’t seem to do a great job when it comes to checking whether invoices are legit or not. Recently, scammers have been using invoices to trick people into sending money to other accounts. It is unknown when this method became popular, but there are reports dating back to 2020 and before.
The scam involves sending an email to a PayPal user, telling them to pay something. The email I received identified the sender as “PayPal’s billing service”, with a message saying “$1000.00 has been charged to your account for the purchase of the gift card Walmart e-mail” and that I should contact a customer support phone number. Another version identified by Virginia Commonwealth University asked for $450 for “BITCOIN CRPTO”, with a different phone number listed.
The only similarities between all the messages are “Here’s your bill” or “Updated bill” at the top, and a button that says “View and pay bill”. Unfortunately, these also appear for legitimate invoices from real companies. Emails are sent via the same “[email protected]” email address as other account notifications, making them more legitimate.
How to avoid the scam
The easiest way to ignore this specific attack is to not pay any bills for a product or service that you did not purchase. However, invoices are different from purchase notifications – if PayPal sent you a confirmation email for the purchase of an item, someone may have stolen your PayPal account, and you should contact the service PayPal customer immediately.
Generally speaking, if you receive a summary email or message regarding PayPal payments, you should go to paypal.com (or the iPhone and Android apps) instead of clicking on the links in the message. The Activity page of your PayPal profile will show any recent payments or requests, and you can check invoices from the Activity page by clicking Status > Invoices to pay.
Hopefully PayPal cracks down on billing abuse, so it’s no longer common. PayPal isn’t alone either – popular money transfer service Zelle is also a frequent target for scammers.