Beware of this very convincing PayPal phishing scam

midian182

Posts: 8,325   +103
Staff member
In brief: Scammers know the best way to get people to fall for a phishing email is to make it convincing and suggest a lack of response will result in financial penalties. A new campaign that uses fake PayPal invoices meets both of those requirements, and it's proving successful.

Krebs on Security reports that the phishing emails claim to be an invoice from PayPal's billing department asking for $600. Most people these days know to check the senders' email address in suspicious messages to see if they look fake, but this one originates from PayPal.com. The email even includes a link at Paypal.com that displays the invoice.

Moreover, the message headers show it passed email validation checks as originating from PayPal, and it was sent through an internet address assigned to the payment company. Not only does this make it an extremely convincing phishing scam, but it should also guarantee the message is delivered and doesn't end up in recipients' spam folders.

The included message might not be worded as professionally as what you'd expect from a major company like PayPal. Nevertheless, it lacks the spelling or grammatical errors that can expose emails as scams.

"There is evidence that your PayPal account has been accessed unlawfully," it reads. "$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number."

Calling the phone number is where the scam begins in earnest. Victims are greeted by a so-called "customer service" rep who doesn't identify any company. They explain that the only way to address the issue and avoid paying the money is to visit a specific website and download a remote administration tool. Anyone who does download this software will soon find they've lost a lot more than $600.

Krebs writes that the invoices appear to have come from a compromised or fraudulent PayPal Business account that allows users to send invoices. The emails' convincing setup means many have already fallen for the scam; there are claims in the comments of people being robbed of over $1,000. The best solution to emails like this one, of course, is to log into the service directly to check for any suspicious activity.

With much of the online world now more tech-savvy than ever before, criminals know their scams need to be much more convincing than pretending to be a Nigerian prince. A recent one in the UK involved random victims receiving fake Microsoft Office USB sticks in realistic MS packaging.

Permalink to story.

 

kiwigraeme

Posts: 1,312   +961
"the only way to address the issue and avoid paying the money is to visit a specific website and download a remote administration tool."

Sorry but in what way is that convincing? A fool is easily parted with their money.

I still have a land line - I do various things when called by someone on the sub continent - one time I said straight away shall I install team viewer - they said yes please . Normally I speak softly then blow by refs whistle ( kids teams when I did it ).
Should just do the old person ruse - pretend deafness - must find my hearing aid = just lay phone down and forget it . If the phone back just fake old timers ( alzheimer's )
 

Theinsanegamer

Posts: 3,774   +6,605
"the only way to address the issue and avoid paying the money is to visit a specific website and download a remote administration tool."

Sorry but in what way is that convincing? A fool is easily parted with their money.
People who are not tech savvy still run on the principal of "computers are magic". They just see they have a major bill that was dont "in error" and paypal sends them a link to fix it.
 

Neatfeatguy

Posts: 1,024   +1,885
"The included message might not be worded as professionally as what you'd expect from a major company like PayPal. Nevertheless, it lacks the spelling or grammatical errors that can expose emails as scams."

No, it has an error that stands out immediately to me, but it may be something most people don't notice. Where it shows the amount of $600 it has it written as "$600. 00" as well as the extra space between the "a. m." and "p. m."....plus, you don't need to use AM or PM when you're putting time in as military.

People are dumb as hell, it seems.
 

wiyosaya

Posts: 8,270   +7,636
I would NEVER use the phone number provided in an email. I'd log into PayPal and contact them through that. PayPal has NEVER contacted me through emails like that and I'd be suspicious immediately.
Agreed. Paypal users should realize that Paypal would take care of this based on their policy, and why the hell are they contacting you saying there is evidence your account was accessed unlawfully?. I would suspect that they would say "evidence of fraudulent activity".

"The included message might not be worded as professionally as what you'd expect from a major company like PayPal. Nevertheless, it lacks the spelling or grammatical errors that can expose emails as scams."

No, it has an error that stands out immediately to me, but it may be something most people don't notice. Where it shows the amount of $600 it has it written as "$600. 00" as well as the extra space between the "a. m." and "p. m."....plus, you don't need to use AM or PM when you're putting time in as military.

People are dumb as hell, it seems.
There is also an English error in this that comes to my attention immediately - and it is "for the Walmart eGift card". Proper English would be "for A Walmart eGift Card". The e-mail does have some errors which would get my warning bells going.

People should not panic when they see e-mails like this and react calmly. IMO, phishers know that getting people into panic mode is a sure way for their phishing attempt to succeed. IMO, panic is the modus operandi behind attempts like this.
 

Arbie

Posts: 431   +753
Everyone should be following "Krebs On Security" who continually exposes things like this. That said, it's good to see this one here too since it's a convincing threat.
 

wiyosaya

Posts: 8,270   +7,636
Everyone should be following "Krebs On Security" who continually exposes things like this. That said, it's good to see this one here too since it's a convincing threat.
Moral of the story: Be suspicious of any e-mail like this.
 

PEnnn

Posts: 955   +1,247
"The included message might not be worded as professionally as what you'd expect from a major company like PayPal. Nevertheless, it lacks the spelling or grammatical errors that can expose emails as scams."

No, it has an error that stands out immediately to me, but it may be something most people don't notice. Where it shows the amount of $600 it has it written as "$600. 00" as well as the extra space between the "a. m." and "p. m."....plus, you don't need to use AM or PM when you're putting time in as military.

People are dumb as hell, it seems.

Indeed, but the sad thing is: The internet has shown us the last few years how many people can't even tell the difference between "too / to", "your /you're", "their / there"....etc...it's truly tragic, and could be costly!!
 

Mr Majestyk

Posts: 1,455   +1,360
Or you could actually log into your account (not via any link in the e-mail) and verify this. If you have a paypal account you should have a modicum of internet skills. Always these things independently and if in doubt, contact paypal via the real website details.

Banks never ever ask for these things via email BTW.
 

acoustis

Posts: 19   +21
Agreed. Paypal users should realize that Paypal would take care of this based on their policy, and why the hell are they contacting you saying there is evidence your account was accessed unlawfully?. I would suspect that they would say "evidence of fraudulent activity".


There is also an English error in this that comes to my attention immediately - and it is "for the Walmart eGift card". Proper English would be "for A Walmart eGift Card". The e-mail does have some errors which would get my warning bells going.

People should not panic when they see e-mails like this and react calmly. IMO, phishers know that getting people into panic mode is a sure way for their phishing attempt to succeed. IMO, panic is the modus operandi behind attempts like this.
Well it's obvious (or not) to anyone who's natively speaking English. I didn't notice those details until you both pointed them out, since English is not my primary language (did I even use the term primary right?).

It is good to read these articles though to remind us not to be too quick to respond. Greed is a powerful motivator.
 

Gezzer

Posts: 303   +152
I still have a land line - I do various things when called by someone on the sub continent - one time I said straight away shall I install team viewer - they said yes please . Normally I speak softly then blow by refs whistle ( kids teams when I did it ).
Should just do the old person ruse - pretend deafness - must find my hearing aid = just lay phone down and forget it . If the phone back just fake old timers ( alzheimer's )

But guess what? I just found out the hard way that PayPal no longer accepts landline numbers and won't let you access your account unless you provide a mobile one. Hour later support says it's fixed so I can now access it, but what happens next time? Bad policy IMHO, not everyone has or is willing to use their cell phone for that purpose... like me.
 

Avro Arrow

Posts: 3,096   +3,989
TechSpot Elite
People should not panic when they see e-mails like this and react calmly. IMO, phishers know that getting people into panic mode is a sure way for their phishing attempt to succeed. IMO, panic is the modus operandi behind attempts like this.
When people don't have the brain-power to properly process something like this, an emotional response is what they have. People fear what they don't understand and fear leads to panic.
 

kiwigraeme

Posts: 1,312   +961
But guess what? I just found out the hard way that PayPal no longer accepts landline numbers and won't let you access your account unless you provide a mobile one. Hour later support says it's fixed so I can now access it, but what happens next time? Bad policy IMHO, not everyone has or is willing to use their cell phone for that purpose... like me.
Lots of companies make it very hard to negotiate with them , information is hidden layers deep. You have to do other steps first .
When you find a direct phone you some magic art - you save it to file .
Even claiming some bonus cash back with some companies is made hard - with warnings if not filled in correctly it will not be looked at
 

woofer

Posts: 70   +14
Or you could actually log into your account (not via any link in the e-mail) and verify this. If you have a paypal account you should have a modicum of internet skills. Always these things independently and if in doubt, contact paypal via the real website details.

Banks never ever ask for these things via email BTW.
AFAIK, PayPal is not a bank. That's how they have gotten away with some of their sketchier actions.
 

captaincranky

Posts: 19,166   +8,313
I forward all suspicious pay pal emails to pay pal and pay pal reply's thanking me! spoof@paypal.com
Well, it's a good thing you can spot fake emails, because you'd be somewhat inept at writing one. I know it's impolite to be a "grammar Nazi", but since spotting misspellings are part of the topic, I'll proceed.

I know of no example or reason in English where "reply", would be used as a possessive or a contraction. (Which is not to say there aren't any). However in this case, Pay Pal "replies" is correct.. You could get away with Pay Pal as the possessor. Sic: "Pay Pal's replies to my notifications were to say "thank you".
 
Last edited:

captaincranky

Posts: 19,166   +8,313
Indeed, but the sad thing is: The internet has shown us the last few years how many people can't even tell the difference between "too / to", "your /you're", "their / there"....etc...it's truly tragic, and could be costly!!
Rap music and texting are the final two (or is that "to", or, "too? :rolleyes: ), nails in traditional English's coffin. What thinkest thou?

Besides, we have emojis now. Why, you could write a novel with them now, just like the Neanderthals did on their cave walls.
 
Last edited:
"The included message might not be worded as professionally as what you'd expect from a major company like PayPal. Nevertheless, it lacks the spelling or grammatical errors that can expose emails as scams."

No, it has an error that stands out immediately to me, but it may be something most people don't notice. Where it shows the amount of $600 it has it written as "$600. 00" as well as the extra space between the "a. m." and "p. m."....plus, you don't need to use AM or PM when you're putting time in as military.

People are dumb as hell, it seems.

The most obvious tell is that the e-mail begins, "Dear PayPal User". PayPal always uses your first and last name in the salutation.
 
Never ever have I fallen to any online scam or phishing.
Just use your best judgement, and stop clicking on every random crap.
To avoid it getting scammed, type the company's website manually into the URL windows, and go from there.