Copyright forbes
The PayPal fake invoice attacks continue. Getty Images It has been less than a week since I reported an ongoing attack involving fake PayPal invoices that the online money giant itself warned users, “do not pay, do not phone." Now, a similar, but not quite as convincing, new attack using fake PayPal invoices has been confirmed by security experts. Here’s everything you need to know. ForbesLinkedIn DM Attack Warning — What Users Need To KnowBy Davey Winder PayPal Users Must Stay Alert As New Invoice Attack Campaign Confirmed Previously, I reported how cybercriminals were using a variation of what is known as a TOAD attack to target PayPal users with fake invoices. “You receive an email from a real PayPal email address,” security analysts at KnowBe4 warned, which “contains an invoice for a large purchase you did not make, and a phone number for you to call if you want to dispute the charge.” Such Telephone-Oriented Attack Delivery threats almost always contain a PDF document of some kind, such as the invoice in this case, along with urgency and fear-of-financial-loss messaging. What made this one rather more sophisticated than most such scams, was that the attackers were sending the invoices from a genuine PayPal account email. “The email you receive is real,” KnowBe4 said, “but the invoice is not, and if you call the phone number in the email, you will not be connected to PayPal's support team,” but rather a fraudster after anything from your credit card details, PayPal account credentials or just a good old-fashioned cash payment. The latest fake PayPal Invoice attack is a lot less convincing. It just so happened to land in the email inbox of an employee of a security vendor, Pieter Arntz, a malware intelligence researcher at Malwarebytes, has confirmed. It is worth reporting on, Arntz warned, “because it looks like it was sent out in bulk.” ForbesProton Exposes 300 Million Stolen Credentials — 49% Include PasswordsBy Davey Winder MORE FOR YOU Firstly, the email isn’t sent from a PayPal address at all, but a random Gmail account instead. That’s the kind of red flag nobody should ignore, especially as it will be flapping around in your face at quite an alarming rate. The second being that the email went out to a BCC list, that is a blind carbon copy or to hundreds of others at the same time. PayPal would never send an invoice in such a manner, obviously. However, using a genuine Gmail address does, Arntz said, mean that “the authentication results (SPF, DKIM, and DMARC) all pass,” but that “only proves the email wasn’t spoofed and was sent from a legitimate Gmail server, not that it’s actually from PayPal.” The red flags continue: the email body was blank, with only the invoice attachment. PayPal would never send an invoice or any communication like this. Still, if the attachment was to be opened it would follow the standard TOAD process: “Your account has been billed $823.00. The payment will be processed in the next 24 hours. Didn’t make this purchase? Contact PayPal Support right now.” PayPal Takes Note Of The Evolution Of Scamming Tactics And Responds Accordingly PayPal has said that anyone receiving an unexpected or suspicious invoice or payment request, whether it appears to be from PayPal or another service, should not pay it or respond to it. PayPal also said it is responding to the continual evolution of scamming tactics and methods, taking all the necessary steps to protect customers. Measures such as manual investigations and technology to prevent fraud, and proactive actions such as limiting scam accounts and declining risky transactions. “We do not tolerate fraudulent activity on our platform, and our teams work tirelessly to protect our customers. We are aware of this phishing scam and encourage people to always be vigilant online and mindful of unexpected messages,” a PayPal spokesperson said. “If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance.” ForbesWhatsApp Confirms Sudden Backup Passkey Security Move For BillionsBy Davey Winder Editorial StandardsReprints & Permissions
