Tricky Fake PayPal Invoice With an Interesting Twist
So, this was waiting for me in my personal email inbox recently.
It appeared to be PayPal, asking me to confirm a requested invoice. I use PayPal. I have recently paid a big invoice using it…but not for that amount, not to Apple.
Hmm.
Valid URLs
I hovered over the URLs in the email and all pointed to www.paypal.com. Not a rogue link in the batch.
DMARC, DKIM, and SPF Valid
I looked at the email’s headers (selected sampling shown below) and saw that the email passes DMARC, DKIM, and SPF checks. So, this email claims to be from paypal.com and is really from paypal.com.
Microsoft Anti-Spam Says It Isn’t Spam
The same email header has a Microsoft Antispam header in it (see below) and the Spam Confidence Level (SPL) is a 1, which means unlikely to be spam (https://learn.microsoft.com/en-us/defender-office-365/anti-spam-spam-confidence-level-scl-about).
?
So, this email is really from PayPal and Microsoft doesn’t think it’s spam or malicious…but we know it is.
Reported to PayPal
After confirming again that the included URL links connect to Paypal.com, I click on the “Report this invoice” option provided by PayPal (see below).
This takes me to the PayPal screen shown below.
?
?
领英推荐
Another clue that this invoice is absolutely bogus is the Bill to information. Instead of providing a vendor name and address, it includes a message saying the invoice was paid and if I had a problem with that to email someone at Hotmail.com (shown below). Yeah, that’s legit. ?
Now because I clicked on the “Report this now’ button, PayPal includes a header that says, “This invoice has been reported as a possible scam.” Hey, great, this scam invoice has been reported to PayPal and they aren’t paying it (at least yet).
That’s great, I think.
But then I read the bottom of the page (shown below). In the “Seller note to customer” it says that the payment was SUCCESSFUL and if I have a problem to please call a particular phone number. [p8]
?Seller Note:
?This is a genius social engineering hack. The hacker created a real invoice that they submitted to PayPal???? ?for payment against my account and inserted language into the seller’s comment that appears to be from PayPal itself.
When I first read it, I thought, “What? You paid the invoice even when I reported it as fraudulent and said not to pay!!”
The social engineering hacker was playing on my emotions and outrage. But had I followed my initial emotion and called the provided number, that number would have surely taken me to a fake PayPal call center where they would ask for my credit card or PayPal information to supposedly confirm my account and “reverse” the charges. But in reality, they would be stealing my funds.
I tried to research the fake phone number provided, but none of the phone number lookup services that are supposed to tell you if it is fraudulent or not, told me it was fraudulent. But it is. I didn’t call it because I didn’t want to put my real phone number on yet another spam list.
Instead, I went to PayPal’s Help Center (Real PayPal phone number at https://www.paypal.com/us/smarthelp/contact-us) and looked for the real PayPal help numbers. That image and the correct numbers are shown below.
?
Never use the phone number provided in a potentially malicious email to verify the request. Always go to the legitimate vendor’s website or look up the truly valid phone number.
Conclusion
This is likely a popular PayPal social engineering scam, but one I had not come across before. I hope PayPal starts to implement invoice filtering that looks for and blocks rogue social engineering messages that appear in the seller’s comments. But for now, these rogue Bill To and Seller comments are getting by. It’s important for readers to understand that messages that could possibly be provided by the senders are not messages from the vendor and may not be vetted and filtered by the vendor. It’s a sneaky trick.
Note: I checked with KnowBe4’s threat intelligence team and they said they see these sorts of scams…sneaking in scam information in different fields of information like was done in this PayPal scam all the time. They’ve seen it a lot with fake invoices sent using DocuSign, Google Docs, SharePoint, Intuit, and Canva, and OneDrive. So, it’s not new to them, just me.
Always be especially skeptical of unexpected messages that ask you to do something you’ve never done before. And just because the email is really from the legitimate vendor, has all valid URL links?and passes all DMARC checks doesn’t mean it’s a non-malicious email.
?
Teach yourself, your co-workers and family about these types of scams.
?
Resource. ---------------
3 个月It seems amazing how the filters don't catch these. I have received a few and immediately flagged as phishing.
Attacks are getting more and more sophisticated and harder to catch got some. I find my self asking more questions everytime I see my personal email.