One of the more complex scams we’ve seen all year is turning up in Aussie inboxes, as scammers send a bogus invoice and expect you to call in to cancel.
I sat there staring at the string of letters and numbers and characters all culminating in something that appeared all too real when I knew I was looking at a scam.
Like every day, a scam had arrived in my inbox, but like the regular assortment that are easy to tell, this one was difficult because it didn’t just look legitimate, it came from a real established place.
Most scams have to fake quite a few elements, or provide things near enough to trick you. Scams are a con, and because scammers can make a lot of money by tricking you to click and hand over your details, they’ll use fake sender IDs for mobile text messages, similar names for companies in emails, build fake versions of websites if they want to pretend to be things you trust like the government, and social engineering if they want to dodgy things on social media.
But by and large, they have to fake something.
An email popped up in this writer’s inbox this week that actually wasn’t fake, and yet was still a scam.
It looks like it’s from PayPal, and the link definitely matches up with a PayPal one, but there are indications this PayPal isn’t legit. This isn’t your regular PayPal scam, and frustratingly to find it out, you have to know how to peek behind an email and see what’s going on. Kinda sorta.
What is going on?
Scammers are sending dodgy invoices
If you get an email from PayPal advising that you need to pay an invoice ASAP, consider opening a different tab or window, and logging into your PayPal account through a totally different link. Head to your activity, and check nothing has happened.
In my case, nothing had happened — there was no invoice being generated — but I still had a PayPal invoice in my inbox with a legitimate PayPal link to it.
PayPal had created an actual invoice for someone, and that invoice was publicly available for anyone to see whether or not they log in or not.
But the email raised questions.
Fun fact: you can look behind the sender of the email by diving into the original email information. In Gmail, it’s “show original”, but in your email client, it might say something like “view headers”.
What you get from that screen is the email in code, including who technically sent it and who it was for. In this instance, it’s a PayPal user I don’t know, but who I’ll be reporting to PayPal pretty quickly.
That gives us the “who” for “who generated this invoice”.
Now for the “why”, as in “why you received an invoice to pay for someone else”.
Scammers want you to call their “customer service line”
A scam like this is strange: there’s no immediate pay-off, and no one is going to pay for an invoice they didn’t actually generate. Requesting $799 is never going to work, but because the request is coming from a legitimate link, it’s easy to believe.
As such, we can expect the first thing many would do is call the customer service line on the invoice, and lo behold, there’s one of those. It’s not the number for contacting PayPal, but is the number for the person responsible for the scam. And that person has created the PayPal account under the username of “PayPal User”, making it seem easier to believe that the message is intended for you.
It’s not, and that number will lead you down a scam-ridden black hole.
Call that number, and you’ve basically dialled into a scam line, no different to how when fake Amazon calls you to tell you about charges on your account. The only major difference is you’ve called them, rather than them calling you.
Call in and the scammers not only have your number, but you could potentially end up giving them your actual credit card information and other details, effectively falling for the goal of this scam.
This is essentially phishing over the phone, and it is very easy to fall for.
How to avoid a legitimate PayPal email that’s actually phone phishing
We’re not the first people to pick up on this, but this does seem quite new, making it a scam many will likely fall for.
So to avoid falling for this type of scam, if you get an email advising you have an invoice to pay that you didn’t generate, log in to your PayPal account using a separate tab or browser window without clicking on anything in the email. Do not claim responsibility for the invoice.
In your PayPal dashboard, check your recent activity, and if there’s nothing there, assume this email and invoice isn’t for you, because it’s not. It’s meant to ensnare you, but it’s definitely not legit.
On the email in question, check to see whether your email or name is mentioned anywhere. In our case, it wasn’t, and that’s because this is largely a blind email: a scammer has BCC’d this to as many people as possible in the hopes that anyone or a lot of people fall for it.
Don’t be one of those people, and don’t fall for it.
We’re clearly not the only people who have seen this, and reports on this approach for scammers have been popping up in the past month or so. It’s been happening in America, as well, so Australians are the only ones being targeted.
Once you’ve worked out that this fake invoice isn’t for you, consider contacting PayPal’s security team and reporting the scam with the ACCC’s Scamwatch, limiting its chances of affecting others in the long term.