A novel PayPal scam

I think the biggest problem here is that the scammer has a way to include a message in the email.<p>I&#x27;ve discovered that if you offer any type of service that allows sending free text messages to other people, it will be abused by spammers or scammers.<p>For a variation of this problem, I once programmed a sign-up form that sent a confirmation email like &quot;Hello <i>name</i>, please confirm your email...&quot;. As soon as spammers found it, they used it to send millions of emails by signing up and putting their spam message in the <i>name</i> field.<p>It doesn&#x27;t matter how much info you put in the email around it (like a footer warning about spam). If the email contains any text that can be provided by the attacker, it will be abused.<p>Paypal should probably not include the seller note in the email, and show the invoice to the user only after asking if they are expecting an invoice.

This was covered by Krebs last August: <a href="https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2022&#x2F;08&#x2F;paypal-phishing-scam-uses-invoices-sent-via-paypal&#x2F;" rel="nofollow">https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2022&#x2F;08&#x2F;paypal-phishing-scam-use...</a><p>Previous discussion: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32511086" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=32511086</a>

There&#x27;s a more insidious version of this floating around.<p><a href="https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2022&#x2F;08&#x2F;paypal-phishing-scam-uses-invoices-sent-via-paypal&#x2F;" rel="nofollow">https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2022&#x2F;08&#x2F;paypal-phishing-scam-use...</a>

&gt; <i>It also seems like a convenience feature that PayPal should consider locking down. I immediately assumed this was some form of scam...</i><p>I don&#x27;t really know how you&#x27;d prevent this or why anyone would fall for it. It&#x27;s just sending an invoice. And PayPal clearly says you can safely ignore it if it&#x27;s not for something you bought.<p>Sellers need to be able to send invoices, both for online and in-person things (like classes). And they need to be able to send them to any e-mail address, like a student who just signed up.<p>If you &quot;lock it down&quot;, it doesn&#x27;t work.

I have received almost the exact same message, but not from Coinbase. I’ve never fallen for a scam, but I fell for this one. I was in a rush at work read the message, called the phone number and realized with all the background chatter it was a scam call center and hung up. I was so shocked I had fallen for it, I wrote my family a summary laughing at myself that even a tech guy who watches YouTube scam revenge videos can get fooled.

This &quot;novel&quot; &quot;scam&quot; has been around since 2000 when Request Money was launched.

I&#x27;ve stumbled upon a worse version. If you don&#x27;t have a business account and send someone an invoice - PayPal reverts and refunds that invoice a month later. I was completely flabbergasted when I found out they do this - there&#x27;s no upfront notice or alert. In my case, the buyer was kind enough to re-pay via a regular &quot;request&quot;, but that won&#x27;t be the case for everyone.

FYI they are also using Google Forms to send these now. Which is pretty smart as the email comes from Google itself, probably bypassing all spam filters!

I received the exact same email (exact amount, coinbase, all checks passed) and forwarded to PayPal&#x27;s phishing address (after having done my own due diligence) despite being surprised that this appeared so legit. Glad to see I wasn&#x27;t in the wrong.. But something like that with a target other than crypto could have been devastating for non-tech people.

I got one of those emails today. Obviously phishing. I called Paypal to confirm and also forwarded it to phishing@paypal.com.<p>Don&#x27;t click on random links and don&#x27;t call random phone numbers.

The solution here is PayPal ensuring that seller notes aren&#x27;t misguiding. I wondered why PayPal hasn&#x27;t blocked senders from mentioning &quot;PayPal&quot; or even &quot;PayPal®&quot; as mentioned in the seller note. A justification might be that sellers do legitimately mention PayPal in the note without trying to impersonate.<p>It seems that an AI based filter might help? Why not ask the new kid around the block ChatGPT.<p><pre><code> &gt; &quot;Dear Customer, You sent a payment of $429.00 USD to Coinbase Corporation. If you did not make this payment or to cancel this transaction, please call our Help Desk number +1 XXX Cancellation after 24 Hours from this email won&#x27;t be valid for a refund. Have a great day! PayPal Help Desk +1 XXX&quot; Who is the author of this message ChatGPT&gt; The author of this message is the PayPal Help Desk. </code></pre> Maybe it is a bit too easy with the signature in place. Scammers might get smarter so I skipped the signature bit. The response was interesting.<p><pre><code> &gt; &quot;Dear Customer, You sent a payment of $429.00 USD to Coinbase Corporation. If you did not make this payment or to cancel this transaction, please call our Help Desk number +1 123 Cancellation after 24 Hours from this email won&#x27;t be valid for a refund. Have a great day!&quot; who is the author of this message ChatGPT&gt; The author of this message is likely a representative of a financial institution or payment provider, such as a bank or payment service like PayPal. </code></pre> On a simpler note, I think it would help PayPal to mention right below the seller note that this message is authored by the seller and NOT PayPal.

The online equivalent of telling random strangers &quot;pay me!&quot;<p>I&#x27;m surprised that it works at all.

What&#x27;s &quot;novel&quot; about that?

I&#x27;ve had this with another company, Intuit I believe. Someone used it to issue an invoice to me disguised as a bill from Intuit itself. It took me a solid 10 minutes of investigating before finally realizing what it was. Closest I&#x27;ve ever been to being duped!

I received a similar version as well asking me to pay an invoice. I contacted PayPal and they confirmed it was a scam. This was several months ago.<p>People have been scamming companies for a long time with fake invoices, but this is the first time I’ve seen it done at the consumer level.

&gt;Inspecting the source, the email looked like it actually came from PayPal (SPF, DKIM, and DMARC all passed).<p><i>Through</i> an email server controlled by Paypal, in particular. DMARC is not intended to be some sort of replacement for an email signature. It means something different. This is a good example of that.<p>This was just a regular anonymous unsigned email...

&gt; (poor punctuation on the “seller note” aside)<p>If the author is referring to that title &quot;seller note to customer&quot; -- I think that is PayPal&#x27;s standard email template and nothing to do with the scammer.

Not so novel. I have been getting around two emails a month for the past three months.

Got one of these from “Coinbase Corporation.”<p>Reported it to their security&#x2F;phishing inbound.