My day started rough.
It was 7 a.m., and I was just partially through my first cup of coffee, when I noticed a new message in my email inbox. It was from PayPal and the subject line said, “You’ve got a money request.”
And so began my first look at this three-pronged PayPal phishing scam.
The scam attempt
There’s nobody I know who would ask me for money through PayPal and reasonably expect to get it, especially without telling me ahead of time that they were invoicing me for something. I started to investigate the money request in my Gmail box.
In Gmail, you can right-click on the message sender before opening the message, in order to see the full email address.
The message was from PayPal, so I felt safe enough opening it. Once inside the message, I again looked at the sender, and it was still PayPal. The body of the message claimed to be from one Susan Bowman. Here, take a look at the message.
The mistaken “fraudulently” instead of “fraudulent” is one sign there. But the sentence that caught my attention was “You will be charged $699. 99 today.” Interestingly, there was a space between the period after $699 and the 99. Odd punctuation and spelling are often indicators of a scam message.
Another part of the message said, “Please call us as soon as possible at toll free number [REDACTED]. to cancel and claim a refund.” There was a period after the phone number, right in the middle of the sentence. Another important thing to note was that the idea of the message was to get me to call a number that I was supposed to think was PayPal, to stop the $699.99 from being sent out. Urgency is another common element of phishing scams.
The bottom of the message had a Pay Now button, and a PayPal transaction ID. I do a lot of coding using the PayPal API. It did, indeed, look like what a PayPal transaction ID normally looks like. As it turns out, it was an actual transaction ID that had been created in the actual PayPal system. More about that in a minute.
Reaching out to PayPal
Rather than do anything with the message itself, I went to PayPal directly. I pointed my browser to PayPal.com and, after verifying my identity with two-factor authentication, logged in.
I scrolled down on the page, and there was, in fact, recent activity from Susan Bowman. The screenshot below shows the transaction as canceled, but when I first logged in, the activity item was listed as pending.
I clicked on the Help button at the top of the screen and scrolled down until I found the Contact Us option. I clicked on that, and after the usual hoop jumping, found myself talking to an agent in the company’s fraud operation.
I explained the situation. The agent knew exactly what I was calling about, and assured me that no money had been sent out. I was also guided through how to cancel this transaction.
If you click into a requested money transaction, there are two buttons that you can choose from. One is Send Money and the other is Cancel. Unfortunately, I didn’t capture a screenshot before I canceled. I was much more focused (remember, I was still on my first cuppa coffee) on canceling the transaction.
I clicked the Cancel button and the transaction was terminated. No money was lost. Then, I had a little chat with the PayPal agent and learned some things…
Anatomy of a three-pronged fraud attempt
This was a three-pronged fraud attempt, in that the attackers had three different ways to win.
As I suspected, and the agent confirmed, I was probably not personally targeted. Instead, my email address was one of thousands thrown against the wall to see what would stick.
While the email address used for this account wasn’t one of my most actively used accounts, my email addresses have been all over the Internet for decades, so they’re undoubtedly available to attackers.
Anyone can ask someone for money through PayPal. All they need to do is feed an email address into the PayPal interface and request money. It’s a big part of what PayPal does, and it’s a service that provides a lot of legitimate value to a lot of people.
Once that email address is fed in, PayPal does most of the work. This makes it pretty ideal for phishing attackers.
There are three ways this attack works:
Prong No. 1: Pay out through PayPal: The first prong of the attack was the request for $699.99. While it’s fairly unlikely that anyone who gets hit with this attack will click “Send Money,” all it takes is one or two people doing that to make the entire attack worthwhile from the scammer’s perspective. Don’t pay enough attention, click the wrong button, and whoosh! Money gone.
Prong No. 2: Pay out by dialing the digits: The PayPal agent told me that the second prong of the attack that often also provides value to the scammers is the phone number they ask you to call.
Depending on the scammer, the number itself may be billable. It’s called a “one-ring phone scam” and it works by spoofing numbers, possibly connecting you to an international number where you’re charged merely for connecting to the number.
Prong No. 3: Pay out by giving away too much personal info: The big score, I was told by the PayPal agent, is actually the third prong of the attack. That’s when somebody gets the email and calls the number they think is PayPal to prevent the payment.
It’s at this point that the scammers, pretending to be PayPal’s fraud department, start asking questions, and by the time they’re done, they’ve separated their victims from a treasure trove of personal identifying information, which can fuel additional attacks into the future and can even be sold to other scammers and criminals.
How to protect yourself
My biggest piece of advice is simple: Pay attention. Don’t go through your day just mindlessly clicking to get through your email. Be present and notice things.
Next, follow my advice about protecting yourself from credit card fraud and check your bank accounts and credit cards every week. Keep an active eye on your finances and you’ll be able to spot fraud attempts before it becomes too late to fix them.
As for PayPal, understand that PayPal will never send payment without your explicit OK. The one exception to this is if you sign up for a subscription or a recurring donation. But even then, PayPal won’t begin the process of sending money unless you have explicitly approved it.
Don’t click on links in suspicious email messages. Don’t call numbers that you can’t verify independently. Make sure your accounts all have two-factor authentication.
Always update your operating system and browser when prompted. That will help prevent zero-day attacks from taking hold of your machine.
And, finally, back up your devices. Follow my advice and institute a 3-2-1 backup strategy. That way, if you are hit by malware or some other attack, you can recover more quickly.
Good luck. Stay safe. Let us know if you have any other safety tips in the comments below.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.