Criminals are always trying to get their hands on your hard-earned cash, and their latest trick is a simple one—send a legitimate invoice through PayPal for a high-value item you haven’t bought. So how does this scam work? How do scammers do this using a real PayPal invoice?
PayPal Invoicing Gets Scammers Into Your Inbox
Traditionally, scammers and spammers have been relatively easy to spot. If they’re not flagged up by your email provider’s spam filters, there are details that give them away, if you know what to look for.
The emails are often spoofed—meaning that the email address in the “from” field isn’t genuine, and they sometimes come from lookalike domains. The language tends to be odd, and they’ll promise you love, riches beyond your wildest dreams, or the opportunity to help a temporarily impoverished former head-of-state. In almost every case, they’ll contain links which, if clicked, will either install malware on your computer or try and trick you into giving away your bank account details. They’re fake, and it’s easy to tell.
Invoices from PayPal are different. PayPal is a trusted organization, without which ecommerce would grind to a halt. Emails from PayPal will always reach your mailbox regardless of your provider. There’s no spoofing involved, and no dodgy links. It’s legit, and so, it’s hard to tell that it’s a scam.
And anyone can create an invoice using PayPal. So that’s exactly what cybercriminals do.
Scammers Can Invoice You Via PayPal
Having cleared your spam filters and with no obvious giveaways that the invoice is a scam, you may end up with something like this in your inbox.
You’ll check that the outlinks are genuine and, feeling reassured, click on one to view the genuine PayPal invoice on the genuine PayPal website. There, you can either pay or cancel the invoice.
This invoice is for Bitcoin and purports to be from “Bitcoin Exchange”, but we’ve seen other spurious invoices for gift cards, and for charges made by PayPal itself. For scammers, the options are endless, and it’s entirely possible that some people or businesses will actually click on the Pay button.
How Do PayPal Invoices Work?
If you regularly use PayPal on your PC, you may have it set that you don’t even need to sign into your PayPal account—just click the big blue button, and, like magic, the required amount disappears from your PayPal balance, never to be seen again.
PayPal also helpfully provides a QR code for invoices. Not only can you be invoiced via email while on the go, but you can also directly access the invoice on your smartphone. Just point your camera at the blue square! Tiny writing on a 5-inch screen makes it even more likely that you’ll click the button. As the PayPal slogan makes clear, it’s simple: “Scan. Pay. Go.”
On this level, the scam is simple: get people to click a button, and receive a large amount of money in return.
How Do Scammers Use Fake PayPal Invoices?
Even if you don’t pay the invoice, the scammers have more tricks to ensnare you. The email also contains a message from the seller, which indicates that the payment has already been taken, and includes the text, “Do give us a Call [sic] for any dispute regarding the Payment and issue a Refund at [phone number]”.
Ignoring the random capitalization for the moment, it’s feasible that you might be worried enough to call the number, whereupon one of two things can happen.
The scammers may try to get more information out of you—either through a fraudulent identity verification process, or by asking for your bank details, ostensibly so they can issue a refund.
They may also try to persuade you to install a remote administration tool on your computer. You can probably guess who you’re handing control to…
As both the email and the invoice are genuinely from PayPal, it’s not impossible that some people will be fooled. Don’t be one of them.
Don’t Fall for the PayPal Invoice Scam
With no obvious clues that the invoice isn’t genuine, do your research before paying the invoice or calling the number.
The first thing you should ask yourself is whether you bought or tried to buy the item in question. If the answer is no—because spending $499.99 on crypto through your PayPal account is not something you would consider doing—it’s a scam.
You can also do some research on any contact details contained in the email and the invoice.
With our sample invoice, the supposed seller’s email address is firstname.lastname@example.org. The hosting domain is currently inactive, but a quick look on the Internet Archive Wayback Machine revealed it was previously a WordPress site hosting random Chinese code snippets and other scraped detritus from tutorials. In short, it does not inspire confidence that the seller is genuine.
Another clue is the phone number. Using a free research tool, we were able to ascertain that it was assigned the very day the email was sent, and we expect it will be reassigned shortly afterwards.
Simply searching for a number on Google can reveal that it’s often used by scammers.
How Did PayPal Scammers Get My Email Address?
Maybe you advertise your email address on your Facebook, Twitter, or a personal blog, and it was scraped from there.
It’s far more likely that your email address was disclosed in a data breach. Companies are hacked all the time, with customer information exfiltrated from their systems with alarming regularity. In the 2022 Samsung data breach, for instance, criminals managed to steal customers’ names, contact and demographic information, dates of birth, and product registration information—which may have included gender, precise geolocation data, Samsung Account profile ID, username, and more.
According to haveibeenpwned, the individual who provided the sample email to us has had their email address compromised in at least 10 different data breaches.
PayPal allows businesses to bulk invoice in batches of up to 1,000 at a time (of the same invoice) by uploading a CSV file. It would be easy for the would-be scammers to add a name (or username) to all the invoices, but they haven’t—meaning it’s probable that they don’t have the target’s name. The only known breach which revealed their personal email, but not name or username, was the 2015 Patreon hack.
How to Protect Against Fraudulent PayPal Invoices
PayPal provides a straightforward and common sense guide to email scams; however, the invoicing con isn’t yet listed.
Here’s our advice:
- Don’t click through to invoices from links in an email—even if they’re genuine links. You can check PayPal invoices simply by logging into the service on a different tab or browser.
- Don’t pay an invoice unless you’re 100 percent certain what it’s for.
- Don’t call, email, or otherwise contact the “seller”.
- Keep your main email address private.
- Use email aliasing or an email protection service to give different email addresses to different companies.
- Check haveibeenpwned regularly to see if your personal details have been disclosed. If an email address is compromised, deactivate it.
PayPal Invoicing Scams Are Irritating and Dangerous
Opening an email to find a genuine PayPal invoice for something you didn’t buy is annoying at best, and at worst, can result in you losing money. Take care with your social media, your email accounts, and your internet security, so you can deprive criminals of the details they need to target you effectively.