New Paypal phishing scam?

[WorriedNoodle]

Normally I find spam emails easy to spot as they come from unrecognized email accounts. But today I got the following email from Paypal directly. This for an account I haven't used for a few years and isn't linked to any cards or banks - maybe dodged a bullet there?

 

The odd thing about it was it came from a Paypal address ([email protected]), but didn't know my name, just called me Paypal User whereas normally my name is displayed? If I clicked on View and Pay Invoice (something I maybe shouldn't have) it took me to my real Paypal account page. At first the invoice showed a 600$ gift voucher purchase for a Yahoo email address similar to my name but not me, but subsequent View and Pay Invoice clicks a few hours later simply show a message that says Invoice does not exist.

 

Maybe Paypal fixed it themselves I don't know? My Paypal page shows no transactions so I don't see any point in calling them about it.

 

Anyone else?

 

 

 

 

[Jerno]

Yes it's a phishing scam.  Click the link and auto download a virus or worse.

[Sparktrader]

Pp scams old news

 

 

[mvdf]

Disturbing and unnerving that the sender's email address matches the real one. How the fraudster managed to spoof it is mind-boggling. 

[Ohyesuare]

10 minutes ago, mvdf said:

Disturbing and unnerving that the sender's email address matches the real one. How the fraudster managed to spoof it is mind-boggling. 

If you hover your cursor over the email address, it usually shows the actual email which is usually a bunch of gibberish numbers and letters. PayPal will ALWAYS address you by your name and NEVER by PayPal User and OP should not have clicked on anything in the email and instead opened a new window and went directly to the account. If you Google the phone number, you can see results saying that it's a number associated with PayPal scams.

 

OP should definitely change their password as even with no bank or cards attached, you still don't want a a scammer having an account in your name.

Edited June 8, 2022 by Ohyesuare

[spidermike007]

There is a whole subculture out there, who absolutely refuses to work for a living, and they live the lifestyle of a vampire, sucking on the blood of society. One needs to exercise great care, these days. I do as you did here, and always look at the return address first. Then, I typically just log into my account directly, rarely ever using a link, unless I know who it is from, or why it is there. Links can be very dangerous. 

Edited June 8, 2022 by spidermike007

[bbko]

Never click on unknown email links.  Exit the email and go to whatever official site directly.  It's very easy for scammers to make a fake website that looks real but in fact it's their way to get important info out of you.

[lopburi3]

1.  On second check of PayPal you typed in the address so got the real PayPal site?

2.  On first check, from email link, you did not click any links on that page (to question the invoice - which would likely have started a scam dialog)?

3.  For sure a scam not knowing and using your name.

4.  It may have been one of the scammers from India active now - they claim to be employed by whatever firm and help to refund charge by payback to your bank account (while they have access to your computer) and overpay (false screen) and beg you to save their job as you must have typed amount wrong and then send you out to buy gift cards or if your bank indicates large balance maybe have you transfer direct (the 30,000 they inadvertently sent you in fake balance screen - but letting you keep a bit for all your trouble).

[WorriedNoodle]

2 hours ago, Ohyesuare said:

If you hover your cursor over the email address, it usually shows the actual email which is usually a bunch of gibberish numbers and letters.

Indeed thats what I normally do. But this came from Paypal themselves!

 

[lopburi3]

10 minutes ago, WorriedNoodle said:

Indeed thats what I normally do. But this came from Paypal themselves!

 

Do your old PayPal message from lines look like that?  Mine looks like this:

PayPal <[email protected]>

[CharlieH]

Title adjusted to reflect phishing concerning PayPal not a scam by PayPal.

[BangkokReady]

3 hours ago, spidermike007 said:

Then, I typically just log into my account directly, rarely ever using a link, unless I know who it is from, or why it is there. Links can be very dangerous. 

This is the golden rule with online.  Don't follow a link, open a new browser window and log in the way you normally do, going to the site directly

[mvdf]

Always use 2FA (2 factor authentication). I use a Yubikey for my email, crypto, password manager and financial accounts.

[mrfill]

3 hours ago, spidermike007 said:

There is a whole subculture out there, who absolutely refuses to work for a living, and they live the lifestyle of a vampire, sucking on the blood of society. One needs to exercise great care, these days. I do as you did here, and always look at the return address first. Then, I typically just log into my account directly, rarely ever using a link, unless I know who it is from, or why it is there. Links can be very dangerous. 

In the UK we call these people 'the government'

[WorriedNoodle]

4 hours ago, lopburi3 said:

Do your old PayPal message from lines look like that?  Mine looks like this:

PayPal <[email protected]>

I seem to have a mix of either [email protected] or [email protected] in my inbox dating back 12 years.

[fdsa]

Search for an option like "show full headers" or "technical details" in email menu and post these here.

 

It looks like you use Gmail, if so then this option is called "Show original". The original message with all headers will open in a new browser tab, copy the headers starting from the top line (usually gmail headers begins with "Delivered-To:") to the beginning of the actual message (usually gmail headers end with "Content-Type: text/html" or "Content-Type: multipart").

 

make sure to remove your private data.

Edited June 8, 2022 by fdsa

[WorriedNoodle]

18 hours ago, fdsa said:

make sure to remove your private data.

Thanks, it's rather long full header and I don't really have time to see/understand what is private data within in, so reluctant to post the entire header. But it does say something like below where I have REMOVED my real name:

 

Received: from mx4.slc.paypal.com (mx4.slc.paypal.com. [173.0.84.229])
        by mx.google.com with ESMTPS id n5-20020a170902f60500b0015cfe719870si25795924plg.222.2022.06.07.09.27.52
        for <[email protected]>

 

The full header is very similar to the full header of a genuine Paypal email. So I am still convinced it comes from Paypal.

 

 

I have Googled the topic and found this link which seems like a similar example: https://www.komando.com/security-privacy/paypal-invoice-scams/752199/

In it is says:

What’s causing these fake PayPal invoices to come through?

Let’s clear up a misconception first: These are not fake invoices. They’re 100% genuine and created within PayPal using the same tools that all PayPal users have access to. Unfortunately, they’re being misused as part of an aggressive spam campaign and sent to hundreds (perhaps even thousands) of random users in the hopes that someone will bite.

 

Edited June 9, 2022 by WorriedNoodle

[lopburi3]

You should be calling PayPal about it and providing them what you have.  Starting to sound like a backdoor on PayPal software allowing access (perhaps only for limited time) and something that needs to be fixed.  I closed my PayPal account some months ago when Thailand was getting locked out (which did not happen).  Stopped using Ebay even earlier so had not need for them except for an occasional fax service.

[WorriedNoodle]

2 hours ago, lopburi3 said:

You should be calling PayPal about it

I will if anything shows up on my invoicing, but nothing since the email, and the account page looks normal. The link above about the scam is from 2020 so Paypal must know about it.

[lopburi3]

4 minutes ago, WorriedNoodle said:

I will if anything shows up on my invoicing, but nothing since the email, and the account page looks normal. The link above about the scam is from 2020 so Paypal must know about it.

This may be new and they can take action so be good to advise them about it with a copy.  I could not read on forum (too small) but if you send as PDF they should be able to read (advise them date/times as best you can and full header information).  You may save someone else.

[fdsa]

8 hours ago, WorriedNoodle said:

Thanks, it's rather long full header and I don't really have time to see/understand what is private data within in, so reluctant to post the entire header. But it does say something like below where I have REMOVED my real name:

 

Received: from mx4.slc.paypal.com (mx4.slc.paypal.com. [173.0.84.229])
        by mx.google.com with ESMTPS id n5-20020a170902f60500b0015cfe719870si25795924plg.222.2022.06.07.09.27.52
        for <[email protected]>

 

The full header is very similar to the full header of a genuine Paypal email. So I am still convinced it comes from Paypal.

 

 

I have Googled the topic and found this link which seems like a similar example: https://www.komando.com/security-privacy/paypal-invoice-scams/752199/

In it is says:

What’s causing these fake PayPal invoices to come through?

Let’s clear up a misconception first: These are not fake invoices. They’re 100% genuine and created within PayPal using the same tools that all PayPal users have access to. Unfortunately, they’re being misused as part of an aggressive spam campaign and sent to hundreds (perhaps even thousands) of random users in the hopes that someone will bite.

 

wow, this definitely looks like a real email from Paypal.

 

I suppose they have some vulnerability in their system allowing to send auto-chargeable invoices to random people.

[The Hammer2021]

On 6/8/2022 at 12:08 PM, spidermike007 said:

There is a whole subculture out there, who absolutely refuses to work for a living, and they live the lifestyle of a vampire, sucking on the blood of society. One needs to exercise great care, these days. I do as you did here, and always look at the return address first. Then, I typically just log into my account directly, rarely ever using a link, unless I know who it is from, or why it is there. Links can be very dangerous. 

'live the lifestyle of a vampire, sucking on the blood of society'

No. They are just common  criminals- no blood sucking- no vampires- just ordinary people- but petty criminals exploiting new  technology.

 

[spidermike007]

10 hours ago, The Hammer2021 said:

'live the lifestyle of a vampire, sucking on the blood of society'

No. They are just common  criminals- no blood sucking- no vampires- just ordinary people- but petty criminals exploiting new  technology.

 

I guess there is no room for metaphors on this most lofty of platforms?

[lopburi3]

Confirmed scam.

 

https://krebsonsecurity.com/2022/08/paypal-phishing-scam-uses-invoices-sent-via-paypal/

[fdsa]

> Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge

 

ah, that one is similar to the scam I already know - I often receive an email with text like "your subscription for (some random product name) was renewed and your account will be charged (some random amount), if you have questions please call +1 (some random phone number)"

 

I suppose that if you call that number to "dispute" the payment you will be tricked into handing your credit card details to the fraudsters on the phone.