Scammers have started taking advantage of a feature inside PayPal that can request money from victims as if they owe it in the first place. What’s going on?
It must be a day ending in “y”, because we’re seeing scammers try something a little bit different to ensnare you and get you to pay up for absolutely nothing.
Endless scams seems to be a regular thing lately, and it’s no wonder: the ACCC’s Scamwatch project says Australians have lost over $520 million this year alone, a staggering number that seems to get worse every time you look at it.
This year, we’ve seen and tried to debunk many of the scams no doubt adding to the seemingly endless cash pile for scammers, including scams about Covid’s Omicron wave, nasty scams pretending to be from the government, scammers pretending to be Australia Post, the ongoing fake toll road scams, and scammers trying to pass off being your own mother. They’re sneaky, for sure.
This week, however, we saw one that might actually throw the most hardened of security folks, as scammers took to PayPal and used the payment service for their own nefarious deeds. We’ve seen one instance of that with a seemingly legitimate but still fake invoice, but this new approach was a little different again. Simply put, you’d get an alert from PayPal saying you owe money, as scammers made use of PayPal’s “request money” feature.
How are scammers requesting money?
While you might use PayPal to pay for goods and services through a PayPal button, one of its other features is a direct “request” button, whereby you can simply type in an email address or phone number and request money from the person. Think of it as a form of invoicing, but doing it through PayPal.
When a PayPal money request is made, the person it’s intended for will get an email from PayPal noting how much they’re being asked for, and with information at PayPal’s website.
Given so many of us have PayPal accounts, invoicing through the service can make a lot of sense for legitimate activities, but scammers are going the extra step of using this legitimate approach because it makes their attempt seem just that: real.
The problem is our email addresses and phone numbers aren’t exactly sacred, and so all a scammer needs to do is throw a bunch of emails into the request money feature with some seemingly legitimate text and reasoning, and voila, they can make a convincing scam attempt using a legitimate service. While we normally write about phishing through fake websites, and phishing attempts using fake PayPal email addresses, request money scams look real because they come from the real PayPal website, similar to the PayPal invoice trick we started seeing earlier this year.
So how do you work out if this is fake?
How to work out whether PayPal request scams are fake?
The first thing to debunk is why you’re getting a request for money. You know what you’ve bought, and so if you get a request for a random amount of money, the whole thing might seem a touch dodgy, so don’t pay it immediately.
Instead, go investigating, which is what we did when we received one.
We didn’t owe any money, and certainly not to someone purporting to be a security company (which itself seems like a bit of an in-joke given a scammer is evading security), but there were other tells to suggest this wasn’t right.
When we looked into the scammers email, we found an overly complex burner email that they clearly had no intention of checking.
The phone number they also included in the text was an interesting addition, partly because it’s clearly intended to be a scam. Including a phone number suggests the scammer is hoping you’ll call so they can explain to you the cost, which is basically the equivalent of intentionally calling a scammer for a fictional story. It’s very similar to those fake Amazon cost scams calling into your phone, only you’d be calling them, which helps make the scam seem more legitimate.
When you see a phone number in a payment request, however, particularly one purporting to be from a company, do a Google search on that company’s official phone number.
Scammers won’t have their phone number listed, though it’s pretty clear the scammer attempt of “1800953480” was intended to be as close to an official one we found for the real company at “1800653870”. Near enough for scammers, anyway.
What should you do if you get a random request for money in PayPal?
If you do end up getting one of these alerts in your PayPal dashboard or over email, question it immediately, and look for the “decline” button.
It’s worth noting that just because you receive a money request from within PayPal, you are under no obligation to pay it, and that request also doesn’t come from PayPal itself.
A real business or service isn’t going to request money from you, and will just send you an invoice, or expect you to pay at the time you’ve purchased the goods.
Look for the signs, read things carefully, and make sure you’re not handing over any money to scammers when you can.
And when you’re done, report the scam to Scamwatch, hopefully to prevent anymore of these from making an impact.