Really dangerous phishing email from paypal

[Karimbo]

SCAM LINK: DO NOT CLICK WITHOUT PROTECTION

https://www.paypal.com/invoice/s/estimatexxxx/buyerviewxxxxx/ESTxxxxxxxxxxxxxxMZ-XAKW

I reallyu dont know how they pulled this off, but they send you a page hosted on the actual paypal.com site and if not for the typo and dodgy lookingg details it could fool people.

the email came into my inbox, the email was verified as being sent from paypal and had a trust badge on it.

For me, I've relied solely on the TLD on all links to validate it, but this is actually hosted on paypal.

Paypal telephone number is really hard to get hold of, but they have nicely left a scam telephone number at the bottom of the page for you to call, if you google the number you'll see its a scam number if you call it they will try to get you to give their login and hijack your account

 

[fisicx]

I'm getting one of these per day. It is a clever scam and I've reported it to PayPal

 

[WebDesires]

they have generated an invoice from their paypal account.

report it to paypal to get their account blocked.

 

[Karimbo]

they have generated an invoice from their paypal account.

report it to paypal to get their account blocked.

I just forwarded this onto [email protected]

It's a huge oversight for paypal to allow this, I presume they are using paypal's system to send out these emails (it's recognised by hotmail as coming from valid paypal server and gave their seal of approval).

The seal from Hotmail really drops your guard

 

[WebDesires]

yes thats right...

In paypal you can send someone an invoice - place your own description for the charge and send it... Its a slightly clever approach but I wouldnt say its any sort of oversight from paypal.

 

[Karimbo]

yes thats right...

In paypal you can send someone an invoice - place your own description for the charge and send it... Its a slightly clever approach but I wouldnt say its any sort of oversight from paypal.

The thing is, they are using PayPal to mass email. They are a financial services company not an email service. They can't have thieves join their service and email thousands of people using their servers to comprise their own customer base.

If this isn't oversight, I don't know what is.

 

[webjaved]

I get several of these emails during the month, and then it goes all quiet, a few months later it starts to happen again.

How's PayPal support? I've never really gotten in touch with them.

 

[WebDesires]

could you imagine if you went to invoice someone and your billing partner tells you that the invoice will be reviewed before being sent? So you cant bill anyone immediately and have to wait 5-15 days for someone to approve your invoice is legitimate?

Its simply not possible... someone can do this from any billing platform, I could do this in stripe to someone right now if I wanted.

 

[Karimbo]

It's not even an invoice. It's someone sort of pre invoice document. Asking to review charges.

Permission to send out these documents should be done on a vetting basis.

Ebay has a seller verification system where you slowly build up sales and more you sell the more listed and selling volumes you get.

If a PayPal Account has never done a legitimate activity before. Joins the service without verifying their business and spams out 100,000 emails to request payment. How is that sensible?

It would make sense if they made sure the account is actively trading and has long trading history without disputes to send out mass emails like this.

You will doggedly defend paypal.. But trust me give it a few months paypal will close that loophole soon enough.

 

[WebDesires]

There is a clever saying, ASSUME makes an ASS out of U and ME.

Where did you get these assumptions from? Why do you think they have not built up legitimate business activity? PayPal does limit new accounts severely. In fact they are quite ruthless about it these days.

What is more likely is someone's legitimate PayPal has been compromised and used to try and scam people, which PayPal will figure out and stop if they have not done so already, they are usually quite quick in this regard.

 

[Karimbo]

Wow, I haven't heard that cliche since I was in school. You make yourself look pretty dumb and immature when you use clichés like this.

In any case bulk mailing estimates of £600 each to hundreds of thousands of people would be a huge spike in billings and should be preemptively disallowed.

Whether it's a hijacked account or a new account is neither here nor there. Paypal uses 2fa so hijacking their accounts is pretty tough

 

[WebDesires]

It's something I think you need to tattoo on your face to avoid all the silly remarks you keep making such as your last one.

In any case bulk mailing estimates of £600 each to hundreds of thousands of people would be a huge spike in billings and should be preemptively disallowed.

ASSUME.

 

[Karimbo]

Why are you ruling out the fact that PayPal has overlooked this, that they haven't limited how many estimates an new account can send out. This was not an invoice, it was an estimate with a scam phone number to call if you dispute the estimate.

 

[WebDesires]

Do you have PayPal? Go and look at the features they provide you and you will understand what you got, why it happened and what I have been telling you. https://www.paypal.com/uk/brc/article/paypal-invoicing-did-you-know-paypal-can-do-that

While you are there go look at PayPal new account limits too: https://www.paypal.com/us/brc/article/understanding-account-limitations

A simple PayPal account cannot do this, not only has this been done from a well established account (probably compromised account) but also a BUSINESS ACCOUNT - which is very hard to setup illegitimately as you would expect.

So some business somewhere is having a very hard time either right now or very shortly when the PayPal account gets restricted/banned.

 

[Karimbo]

You're moving the goalposts around a bit. Let's just go back to the technical aspect of it.

Why can't paypal see an account was making £10,000 in sales a month.

Then suddenly the account is sending out £600 x 1,000 emails of estimates to different emails and say “hold on a second right there, that looks like a huge jump" and stop and delete the links.

The PayPal link you sent is completely irrelevant. These are based on transactional issues, charge backs, refunds, money taken in sales. These are not invoicing limits or estimates limits which they've clearly overlooked.

Why are you assuming these are hijacked accounts, assuming some business gone into distress and sold their account. Etc.

 

[HFE Signs]

SCAM LINK: DO NOT CLICK WITHOUT PROTECTION

https://www.paypal.com/invoice/s/estimate/buyerview/ESTxxxxxxxx-S22M-EFU9-VRMZ-XAKW

I reallyu dont know how they pulled this off, but they send you a page hosted on the actual paypal.com site and if not for the typo and dodgy lookingg details it could fool people.

the email came into my inbox, the email was verified as being sent from paypal and had a trust badge on it.

For me, I've relied solely on the TLD on all links to validate it, but this is actually hosted on paypal.

Paypal telephone number is really hard to get hold of, but they have nicely left a scam telephone number at the bottom of the page for you to call, if you google the number you'll see its a scam number if you call it they will try to get you to give their login and hijack your account

I've not seen this one yet, thanks for sharing

 

[kulture]

Sorry but I have put some xxxxxx into the links as I don't think that the actual link should be left live

 

[forevergroup]

There are always going to be legitimate service accounts - whether is it PayPal, Microsoft 365, Google, etc - that are compromised and then used to stage further attacks.

‘Password stuffing’ - bulk automated shoehorning of known hacked usernames/passwords into key services - is a big problem right now.

In fact it’s now the #1 attack mechanism against Microsoft 365 AHEAD of phishing.

Certainly these compromise attacks will remain more prevalent until MFA becomes mandatory for all providers and accounts.

If anything, this is probably a good reminder to all of us to assume that any account without MFA enabled is open to be breached, especially (but not only) if it uses a common/re-used password.

The best ways to defend yourself against these kinds of attacks, is to invest in email security filtering that helps block email fraud attacks - and maintain your own vigilance.

Realistically speaking, if a spurious invoice from an unknown supplier was to be successful in 2022, you have far greater problems in your accounting function than just third parties sending you dodgy emails.

Invest in commercial email security layers to reduce the amount of these threats hitting your inbox, and train yourself and your staff to avoid the rest.

Do report to service providers as you have done, so that they can lock down the offending accounts ?