Scammers are always looking for new ways to steal your personal details or money, and over the past few months, an exploit in PayPal's invoice system is being used to create convincing phishing messages.
How Does the Scam Work?
PayPal allows sellers to create invoices, which can then be sent to a customer's PayPal account to pay for a product or service. However, PayPal doesn't seem to do a great job when it comes to checking if invoices are legitimate or not. Recently, scammers have been using invoices to trick people into sending money to other accounts. It's not clear when this method became popular, but there are reports going back to 2020 and earlier.
The scam involves sending a PayPal user an email, telling them to pay for something. The email I received identified the sender as the "Billing Department of PayPal," with a message saying "$1,000.00 has been debited to your account for the Walmart eGift Card purchase" and that I should contact a phone number for customer support. Another version identified by the Virginia Commonwealth University asked for $450 for "BITCOIN CRPTO," with a different phone number listed.
![Email that reads, "There is evidence that your PayPal account has been accessed unlawfully. $1,000. 00 has been debited to your account for the Walmart eGift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number +1 [redacted] or visit the PayPal Support Center area for assistance. Our Service Hours: (06:00 a. m. to 06:00 p. m. Pacific Time](https://static1.howtogeekimages.com/wordpress/wp-content/uploads/2022/08/Screen-Shot-2022-08-01-at-2.45.32-PM.png?q=50&fit=crop&w=750&dpr=1.5)
The only similarities between all the messages are "Here's your invoice" or "Invoice updated" at the top, and a button that says "View and Pay Invoice." Unfortunately, those also appear for legitimate invoices from actual businesses. The emails are sent through the same "service@paypal.com" email address as other account notifications, making them seem more legitimate.
How to Avoid the Scam
The easiest way to ignore this specific attack is to not pay any invoices for a product or service you didn't purchase. However, invoices are different than purchase notifications -- if PayPal sent you a confirmation email for purchasing an item, then someone might have actually stolen your PayPal account, and you should contact PayPal customer support right away.
Generally speaking, if you receive a sketchy email or message about PayPal payments, you should go to paypal.com (or the apps for iPhone and Android) instead of clicking any links from the message. The Activity page on your PayPal profile will show any recent payments or requests, and you can check for any invoices from the Activity page by clicking Status > Invoices to pay.
Hopefully, PayPal will crack down on invoice abuse, so this won't be a common occurrence anymore. PayPal isn't alone, either -- the popular money transfer service Zelle is also a frequent target for scammers.