Criminals Exploit PayPal to Execute ‘Convincing’ Invoice Scam

PayPal Logo and Text on a White Background on a Smartphone

Scammers are taking advantage of PayPal’s invoicing system to carry out elaborate and “convincing” phishing attacks. On Monday, a Twitter user, identified as Oxdf, detailed one such attack where he received a fraudulent invoice from PayPal, asking him to either approve or dispute a bill of $1000 for two Walmart Gift Cards.

The email said the amount would be deducted from his account automatically in 24 hours if he did not call a toll-free number or visit the PayPal Support Center for assistance. “I knew right away that I didn’t have a PayPal account for this email, so I was sure it was fake,” Oxdf noted.

Although PayPal invoice scams have been around for some years, they have become increasingly popular in recent months.

In July, cloud email security solutions provider, Avanan, wrote about this scam, highlighting an instance where cybercriminals posed as Norton to dupe unsuspecting victims.

“Hackers are using a combination of social engineering and legitimate domains to extract money and credentials from end-users,” Avanan researchers explained.

Avanan said they informed PayPal about the attack on July 19. It is unclear if the company has taken steps to stop scammers from exploiting its invoicing system.

‘Convincing’ Phishing Email

The phishing email Oxdf received seemed legitimate. It was sent from [email protected]—the address PayPal uses to send updates to users. What’s unique about this attack is that the scammer successfully registered an account under the name “Billing Department of PayPal,” lending credence to the invoice.

The email also contained a link to pay the invoice, which takes the victim to a legitimate PayPal webpage.

“This is a real paypal site. It just happens to be an invoice from someone to me, asking for $1000,” Oxdf wrote.

While the email Oxdf received appeared to have been addressed to him by PayPal, in other instances, scammers have posed as other reputable organizations, like GoDaddy and the World Health Organization (WHO), to deceive victims.

According to Avanan, this scam works because it is a “double spear” attack. The attack succeeds whether the victims pay the invoice or call the toll-free number.

It is unclear what happens when victims call the toll-free number. However, according to the Virginia Commonwealth University’s Phishing Net page, which contains a list of phishing scams and other malicious schemes, scammers will try to convince victims to install remote access software on their devices.

PayPal Is the Most Impersonated Financial Service Company

PayPal is one of the biggest payment platforms in the world, with about 325 million active accounts. This makes it a top target for cybercriminals.

According to the Kaspersky financial cyber threats report of 2021, PayPal is the most impersonated financial services company in the world. It accounted for 37.8% of all financial phishing attacks tracked by the cybersecurity company last year.

Cybercriminals are devising elaborate ways to appear more convincing and dupe victims. In July, researchers uncovered a malicious campaign where attackers use a fake PayPal login page to trick victims into providing sensitive information like credit card details, government IDs, social security numbers, and more.

Report Suspicious Emails to PayPal

PayPal is aware that cybercriminals are impersonating the company to steal information and funds from its users. It has a dedicated email address—[email protected]—where users can forward suspicious emails. PayPal’s security experts check and determine if the email is fake, and take action to shut down the source.

PayPal urges customers to report suspicious emails to protect themselves and other users. When reporting, it is important to forward the phishing email to PayPal, and not simply copy and paste the text. Doing the latter could cause valuable tracking information to be lost.

If you found this story interesting, we recommend checking out our article on the top PayPal scams in 2022. It contains useful information about the schemes cybercriminals employ to swindle victims, and how you can protect yourself.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.