Phishing Threat Alert: Active PayPal Payment Request Scam
While there’s no shortage of PayPal scams going around at any given time, this PayPal payment request scam leverages social engineering tactics without having to rely on a link that could be detected by phishing protection solutions.
Social engineering is a type of phishing attack that uses psychological manipulation to trick individuals into divulging sensitive information or performing actions that may be against their own interests. The goal is typically to gain access to confidential information or systems that can be used for fraudulent or malicious purposes. It’s increasingly concerning both individuals and organizations as it can be difficult to detect. Especially in cases where there is no phishing link included like the payment request scam example detailed in this blog.
What Does the PayPal Payment Request Scam Look Like?
PayPal has a feature where anybody can request money from PayPal accounts on the PayPal website.
When the request is made, the requesting party can add a note in the request which is intended to describe the reason for the payment. Importantly, because the note is a feature of PayPal and actually comes from the PayPal notification system with an email address of [email protected], it’s technically a legitimate email message but it contains a malicious note.
Attackers are using social engineering to exploit this note feature to trick users into believing their PayPal accounts have been used unlawfully for a purchase, advising them to call a support number to cancel the payment request. Users that fall for the tactic and call the support number may quickly find themselves a victim of this payment request scam. Below is a screen capture of an actual request sent as part of this PayPal scam. In the note you can see that the attacker is attempting to make it look like an official notice from PayPal complete with a phone number to call (no phishing link).
According to the note, all the user needs to do is cancel the request and obviously not send the attacker funds. For the non-technically minded, users may not actually fully understand that it’s just a payment request as opposed to an actual debit or deduction. Contrary to the note, no transaction has actually occurred.
The attackers in this particular PayPal payment request scam are wise to the fact that users, when facing a suspicious request, perform a quick google search to validate or verify whether or not such a request is a known scam. Knowing this is common behavior, the attackers have cleverly placed google ads that appear to point to the PayPal website. The ad actually points to a spoofed domain that is yet another attempt to trick a user. Below is a screenshot of the google ad.
What to Do if You Receive a Suspicious Payment Request
zvelo does not advise using google, or any other search engine, to validate whether or not a suspicious message is in fact a scam. Attackers can — and do — use online ads to further their attempts to exploit users.
PayPal has the following notice posted in the help center on the website:
“Received a suspicious email, message, invoice or money request? Don’t reply, open links, download attachments, or call any listed phone numbers. We’ll never ask for your PayPal password or financial details by email or message, or over the phone. Forward suspicious messages to [email protected] and then delete them.”
If you have received one of these PayPal payment requests, there is an option to cancel the transaction from within the PayPal app or on the website. Additionally, users have the option to report suspicious messages directly to PayPal as indicated by the message above.
An Important Note:
The driving force behind why we do what we do here at zvelo is to make the internet safer and more secure. And even though our solutions are not directly geared for end user consumption, they are very much aimed at protecting end users from cybercrime. While those reading this blog may be well aware of these sneaky social engineering tactics, it’s important to remember that we all know others who are less savvy when it comes to recognizing these attacks whether it be our parents, grandparents, teenagers, or friends. As the Holiday season is particularly active, please take a moment to share the details of this attack with those who may need a reminder to be extra vigilant.