I haven’t written about phishing scams in quite a few years. For the most part, we all see to encounter them regularly, so there has been a lot of education about this type of hacking. What’s a bit scarier to me are some of the social engineering phishing scams that are hitting large corporations like Uber most recently. However, this week I received an email via PayPal from a user requesting money from me. And it was a legitimate email originating from within PayPal’s systems. This surprised me, so I wanted to investigate it a bit further. And this article is about that PayPal phishing scam that truly looked and felt legitimate…because it almost was!
I have tried to train my parents and family about what to look out for. And, at least at a minimum, they have learned not to click on links in “odd” emails but rather go to the site directly. Or, they now just forward me the emails asking, “is this a phish?” And I point to strange grammar and punctuation and the originating email being from a generic, non-company email. So, that is progress, right?
Hopefully, you are well trained on how to look for phishing scams at home and work. Home scams, if you fall for one, can suck your financial accounts dry, lock you out of things, or even encrypt your hard drive and ask for a ransom to unlock it (ransomware). At work, systems can become compromised, user data stolen, patents taken, and much more, incurring huge capital and operational expenses.
Before going into this PayPal phishing scam, my quick words of advice are, if you don’t know the sender, don’t click on it. If you didn’t ask to reset your password, don’t click on it. If the email seems to have odd grammar or punctuation, don’t click on it. If it looks somewhat legit, don’t click on it but instead, go directly to the site manually, log in there, and start your investigation on the valid site!
What this PayPal Phishing Scam looked like
First, a quick update! As I was putting the final edits on this article, I received yet ANOTHER request. Identical wording as well, just from a different user. Now on to the details!
For me, it all started with an email notification from PayPay titled “You’ve got a money request.” That seemed a bit odd as I didn’t think I owed anyone money. The sender of the email appeared to be “email@example.com,” but you can never be sure. I have seen instances where domains have been created with numbers to look like letters. In this case, the “@paypal.com” could have easily been faked to “@paypa1.com” (using a number one instead of an “L”).
So, the email sender had passed my initial sniff test. It looked legitimate. I did expand the email address information to see if anything looked odd (these are NOT the full headers for true investigation, though), and they looked fine as well.
I have gotten PayPal requests for money in the past. The format of the email contents looked valid as well, but again, these things can be easily spoofed or faked.
The section that contained the “Payment request details” also looked real with a Transaction ID, the date, and the Amount requested.
Also, the footer of the email where there are links to the PayPal site, social media, support, and security also had a seemingly real context. In some email software, you can see the actual URL if you hover over the links. But again, these can be spoofed, so I do recommend NOT clicking on any links anywhere in these “strange” emails.
A quick side note here – interestingly, this real PayPal email did have a link to “Learn to identify phishing,” which actually is a pretty good instructional page.
But it was the message that was contained within the money request that raised all of my red flags and set off alarm bells. Below are the images and the text of the message (I have redacted any contact information to preserve innocence or guilt).
We've detected that your PayPal account has been accessed fraudulently. If you did not make this transaction, please call us at toll free number +1 (###) ###-#### to cancel and claim a refund. If this is not the case, you will be charged $500. 00 today. Within the automated deduction of the amount, this transaction will reflect on PayPal activity after 24 hours. Our Service Hours: (07:00 a. m. to 06:00 p. m. Pacific Time, Monday through Friday).
I’m using “code” formatting so you can more easily see the punctuation and spacing of this message from the payment requestor. And this is what the message looked like in the email:
And here is the one I received as I was finishing this PayPal phishing scam article.
So, that was odd. I decided to log into my PayPal account, and there was the same message in my inbox. That meant this was a legitimate email and notification coming directly from PayPal. That’s a bit scary. But that doesn’t mean that PayPal was hacked in any way. What it meant was that this particular user was using PayPal’s functionality to try to obtain money illegally.
At that point, I decided to look at the message a bit more closely. And here are the items I identified as being red flags:
- I didn’t know the requestor of the money
- Odd phrasing “call us at toll free number” (as a content writer, I would have said “call us at this toll-free number” or “call us toll-free at” but that is just semantics; and from a grammar perspective, you should hyphenate “toll-free” as an adjective before the noun “number”)
- Toll-free number – I didn’t call it because THAT is how the hack would happen. It is the only way to get your login or personal information. There are probably operators…er…scammers standing by to “help you.”
- “Cancel and claim a refund” seemed odd as well but is designed to scare the reader and encourage them to act.
- Punctuation – note the space in the dollar amount of “$500. 00”
- The next sentence also did not seem to be professionally written and had odd word choices like “reflect on”
- Service hour punctuation – why would you put parenthesis after a colon like that?
- AM/PM – why the odd spacing of “a. m.” and “p. m.”? I would say either AM and PM or a.m. and p.m. without the extra spaces.
- And wait, the huge international company like PayPal doesn’t have extended hours, weekend hours, or 24-hour support? Odd.
After all of those red flags, I decided to contact PayPal support directly to notify them of this false and phishing-like activity.
And, for good measure, I searched for some of the content from the message to see if anyone else had encountered it and/or written about it. I found this very good writeup that had an example that wasn’t identical, but it had many of the same characteristics as mine. The author, Christopher, goes into a lot more detail. And he did actually call the number.
What to do about this PayPal Phishing Scam?
What is the best thing to do about this PayPal phishing scam? Absolutely nothing. Just be aware of it and inform your family and friend (e.g., share this article).
I clicked on the dashboard item in my PayPal account to see if I could dispute or delete the notification. Unfortunately, I couldn’t, but I did get some interesting information. For starters, look at part of this email address itself. (I obfuscated the domain.)
IMAGE EMAIL ADDRESS
And I also got this alert which sounds to me like the account has been shut down or flagged.
A quick note to PayPal – it would be great if you could dispute or at least remove it as you are viewing the item in question. But unfortunately, I don’t know how long it will now sit in my dashboard. And now, I have TWO requests that I can’t remove.
Be sure you read up on how to detect phishing scams or other scams like this PayPal phishing scam. This one was almost legitimately done. It used PayPal functionality for everything, so nothing was out of the ordinary at all.
You have been warned!
If you found this article helpful or if you have encountered anything similar to this, please leave a comment. And I, and your friends and family, would appreciate it if you shared this article to increase the visibility of this PayPal phishing scam issue and spread the knowledge about how to avoid hacking and scams.
HTD says: It’s quite easy to fall for a phishing scam. However, this PayPal phishing scam almost made me fall for it! Remember, if you don’t know it, don’t click it!