Received an invoice from PayPal?
If you’ve received an email from PayPal asking you to pay an invoice for a transaction you do not recognize, it’s a scam.
The confusing thing is, it’s also a real invoice sent from PayPal’s site.
As far as phishing emails go, this one is pretty complex in the fact that there’s not a lot of obvious red flags, making it quite dangerous for unsuspecting individuals.
But how exactly does it work?
What happens if you were to click on it?
Most importantly, what do you need to do to protect yourself?
What it looks like
It starts by receiving an email from PayPal regarding an unpaid invoice. This email is coming from PayPal’s real email, so it won’t be flagged as spam like some spam/phishing emails automatically are.
The invoices, which are real and were created on PayPal’s site, are often for random things such as giftcards or memberships.
They appear to be charges coming from big names companies like Target, Walmart, or PayPal themselves.
Below is an example of one regarding an unpaid invoice for Target Premium Service.
Since this is an legitimate email from PayPal, clicking any links will take you to their website, a you can test this yourself by hovering over the links before clicking them.
Below shows you where clicking the “View and Pay Invoice” button will take you. This is from a different example where the invoice was regarding a “Walmart giftcard” instead of the “Target Premium Service”, but it shows the same screen regardless
(Credit for these images goes to krebsonsecurity)
What’s the goal of the scam?
There are two main objectives that this phishing email is trying to accomplish.
1. To get you to pay the invoice
The first, and most obvious one, is to get people to accidentally pay the invoice. You may be wondering, “who would ever pay a random $600 dollar invoice”, but this isn’t the main goal of the criminals, it’s just a potential upside for them.
If they send out 100,000 of these emails and 10 people pay the invoice because they believe it’s real, that’s 6,000 dollars that took them little to no effort to obtain.
2. To get you to dispute the invoice
Both the email and invoice page both have a note suggesting that you call “customer support” if you don’t recognize this invoice.
If you suspect you didn’t initiate this purchase, or this payment was not made by you directly reach out to our customer support helpline (***) ***-****
This is where the main focus of the phishing scam is. Victims may think they’re being proactive by calling PayPal/Target/Walmart support, but in reality they’ll be talking to a call-center full of scammers.
Once they have you on the phone, they’ll attempt to walk you through the process of installing remote access software onto your computer, which allows them to have complete access of your device.
These “notes”, while looking official, are simply there to provide information about an invoice and can be customized to say anything when the invoice is created.
Is the PayPal invoice showing up in your PayPal account?
Some individuals have reported seeing the invoices even after logging into their PayPal account.
It’s been discovered that if the email you’re using is connected to your PayPal account, it will automatically populate as an invoice within the account.
How can you protect yourself?
If you receive one of the emails, delete it, but don’t label it as spam. Doing so will move all emails from PayPal into your spam folder.
If you’d like you can also report these invoices with PayPal to get the accounts sending them out removed.
PayPal is very familiar with how common these scams are, and there are a few different courses of action you can take to report the emails and invoices.
To report the email, PayPal encourages user to forward suspicious emails to phishing@paypal.com, where their security experts can determine if it’s a fake and get the source of the email shut down, if needed.
You shouldn’t have to dispute the invoice, but if it does show up in your account due to your email being connected, you can visit https://www.paypal.com/disputes/ and fill out a dispute there.
- Click on Report a Problem
- Scroll through the list of transactions until you find the fraudulent one
- Click on the white bubble next to the transaction and click Continue
- Follow the instructions to complete the dispute
If you remember talking to a “tech support” person with PayPal and believe that you’ve installed malicious software on your device, you may need to bring your device to an IT professional and explain the scenario to them.
Otherwise, you can try running your antivirus to clean up any potential threats.
However, this will not get rid of remote access software that’s been installed on your device. To learn more about remote access software and what you can do to check for it on your device, visit this article where we go more in depth.
Why is this scam so successful?
This scam takes advantage of what people think they know about phishing emails.
For years you’ve heard:
- Hover over the sender to see where the email address is from (it’s actually from PayPal)
- Hover over links to see where they lead (these links all lead to PayPal’s site)
- Log in to your account to confirm – (the invoice can still appear in your online account if it’s tied to your email)
On top of that, the fact that criminals can scam you in two different ways (paying the invoice or calling the number), can create more confusion for an already unique scam.