Criminals are always trying to get their hands on your hard-earned cash, and their latest trick is simple: Submit a legitimate invoice through PayPal for a high-value item you didn’t purchase. So how does this scam work? How do scammers do this using a real PayPal invoice?
PayPal billing attracts scammers to your inbox
Traditionally, scammers and spammers have been relatively easy to spot. If they’re not flagged by your email provider’s spam filters, there are details that reveal them, if you know what to look for.
Emails are often spoofed, which means that the email address in the “From” field is not genuine and sometimes they come from similar domains. The language tends to be strange, and they promise you love, riches beyond your wildest dreams, or the chance to help a temporarily impoverished former head of state. In almost all cases, they will contain links which, if clicked, will install malware on your computer or attempt to trick you into disclosing your bank account details. They’re fakes, and that’s easy to tell.
PayPal invoices are different. PayPal is a trusted organization, without which e-commerce would be paralyzed. Emails from PayPal will always arrive in your mailbox, regardless of your provider. There is no impersonation and no questionable links. It’s legit, and therefore, it’s hard to tell it’s a scam.
And anyone can create an invoice using PayPal. This is exactly what cybercriminals do.
Scammers can charge you via PayPal
After clearing your spam filters and with no clear evidence that the invoice is a scam, you may end up with something like this in your inbox.
You will verify that the outgoing links are genuine and, reassured, click on one of them to view the genuine PayPal invoice on the genuine PayPal website. There you can pay or cancel the invoice.
This invoice is for Bitcoin and claims to be from “Bitcoin Exchange”, but we have seen other fake invoices for gift cards and for charges made by PayPal itself. For scammers, the options are endless and it is entirely possible that some people or companies will click the Pay button.
How do PayPal invoices work?
If you regularly use PayPal on your PC, you may not even need to log into your PayPal account. Just click the big blue button and the required amount magically disappears from your PayPal balance, never to be seen again.
PayPal also helpfully provides a QR code for invoices. Not only can you be billed by email on the go, but you can also access the bill directly on your smartphone. Just point your camera at the blue square! A little writing on a 5-inch screen makes it even more likely you’ll click the button. As PayPal’s slogan makes clear, it’s simple: “Scan. Pay. Go.”
At this level, the scam is simple: get people to click on a button, and receive a large sum of money in return.
How do scammers use fake PayPal invoices?
Even if you don’t pay the bill, scammers have more tricks to trick you. The email also contains a message from the seller, which indicates that payment has already been made, and includes the text: “Call us [sic] for any dispute regarding the Payment and issue a Refund to [phone number]”.
By ignoring the random capitalization for now, you may be worried enough to call the number, after which one of two things may happen.
Scammers may try to get more information about you, either through a fraudulent identity verification process or by asking for your bank details, ostensibly so they can issue a refund.
They may also try to persuade you to install a remote administration tool on your computer. You can probably guess who you are giving control to…
Since the e-mail and the invoice are genuinely from PayPal, it is possible that some people will be fooled. Don’t be one of them.
Don’t fall for the PayPal invoice scam
If there are no obvious clues that the bill is not genuine, do your research before paying the bill or calling the number.
The first thing you should ask yourself is whether you bought or tried to buy the item in question. If the answer is no, because spending $499.99 in crypto through your PayPal account isn’t something you would consider doing, it’s a scam.
You can also research the contact details contained in the email and invoice.
With our sample invoice, the email address of the supposed seller is [email protected] The hosting domain is currently inactive, but a quick look at the Internet Archive Wayback Machine revealed that it was previously a WordPress site hosting random Chinese snippets and other tutorial snippets. . In short, it does not inspire confidence that the seller is genuine.
Another clue is the phone number. Using a free search tool, we were able to verify that it was assigned the same day the email was sent and expect it to be reassigned shortly thereafter.
A simple Google search for a number may reveal that it is often used by scammers.
How did PayPal scammers get my email address?
Maybe you advertise your email address on your Facebook, Twitter or a personal blog, and it was picked up from there.
It’s much more likely that your email address was leaked in a data breach. Businesses are constantly being hacked, with customer information being exfiltrated from their systems with alarming regularity. In the 2022 Samsung data breach, for example, criminals managed to steal customers’ names, contact details and demographic information, birthdates and product registration information, which may include gender. , precise geolocation data, Samsung account profile ID, username and Suite.
According to haveibeenpwned, the person who provided us with the sample email had their email address compromised in at least 10 different data breaches.
PayPal allows businesses to bulk invoice up to 1,000 at a time (of the same invoice) by uploading a CSV file. It would be easy for would-be scammers to add a name (or username) to all invoices, but they haven’t, which means they likely don’t have the target name. The only known breach that revealed their personal email address, but not their name or username, was the Patreon hack in 2015.
How to protect against fraudulent PayPal invoices
PayPal provides a simple, no-nonsense guide to email scams; however, the billing scam is not yet listed.
Here are our tips:
- Do not click on invoices from links in an email, even if they are genuine links. You can check PayPal invoices simply by logging into the service on another tab or browser.
- Don’t pay an invoice unless you’re 100% sure what it is.
- Do not call, email or contact the “seller”.
- Keep your primary email address private.
- Use an email alias or email protection service to assign different email addresses to different companies.
- Regularly check haveibeenpwned to see if your personal data has been leaked. If an email address is compromised, disable it.
PayPal billing scams are irritating and dangerous
Opening an email to find a genuine PayPal invoice for something you didn’t buy is boring at best and can waste money at worst. Pay attention to your social media, email accounts, and internet security to deprive criminals of the details they need to effectively target you.