Given that we’re getting into peak retail season, you’ll find cybersecurity warnings with a “Black Friday” theme all over the internet…
…including, of course, right here on Naked Security!
As regular readers will know, however, we’re not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter days a year.
Don’t take cybersecurity seriously only when it’s Thanksgiving, Hannukah, Kwanzaa, Christmas or any other gift-giving holiday, or only for the New Year Sales, the Spring Sales, the Summer sales or any other seasonal discount opportunity.
As we said when retail season kicked off earlier this month in many parts of the world:
The best reason for improving your cybersecurity in the leadup to Black Friday is that it means you will be improving your cybersecurity for the rest of the year, and will encourage you to keep on improving through 2023 and beyond.
Having said that, this article is about a PayPal-branded scam that was reported to us earlier this week by a regular reader who thought it would be worth warning others about, especially for those with PayPal accounts who may be more inclined to use them at this time of year than any other.
The good thing about this scam is that you should spot it for what it is: made-up nonsense.
The bad thing about this scam is that it’s astonishingly easy for criminals to set up, and it carefully avoids sending spoofed emails or tricking you to visit bogus websites, because the crooks use a PayPal service to generate their initial contact via official PayPal servers.
Here goes.
Spoofing explained
A spoofed email is one that insists it’s from a well-known company or domain, typically by putting a believable email address in the From: line, and by including logos, taglines or other contact details copied from the brand it’s trying to impersonate.
Remember that the name and email address shown in an email next to the word From are actually just part of the message itself, so the sender can put almost anything they like in there, regardless of where they really sent the message from.
A spoofed website is one that copies the look and feel of the real thing, often simply by ripping off the exact web content and images from the original site to make it look as pixel-perfect as possible.
Scam sites may also try to make the domain name that you see in the address bar look at least vaguely realistic, for example by putting the spoofed brand at the left-hand end of the web address, so that you might see something like paypal.com.bogus.example, in the hope that you won’t check the right-hand end of the name, which actually determines who owns the site.
Other scammers try to acquire lookalike names, for example by replacing W (one W-for-Whisky character) with VV (two V-for Victor characters), or by using I (writing an upper case I-for-India character) in place of l (a lower case L-for-Lima).
But spoofing tricks of this sort can often be spotted fairly easily, for example by:
- Learning how to examine the so-called headers of an email message, which shows which server a message actually came from, rather than the server that the sender claimed they sent it from.
- Setting up an email filter that automatically scans for scamminess in both the headers and the body of every email message that anyone tries to send you.
- Browsing via a network or endpoint firewall that blocks outbound web requests to fake sites and discards inbound web replies that include risky content.
- Using a password manager that ties usernames and passwords to specific websites, and thus can’t be fooled by fake content or lookalike names.
Email scammers therefore often go out of their way to ensure that their first contact with potential victims involves messages that really do come from genuine sites or online services, and that link to servers that really are run by those same legitimate sites…
…as long as the scammers can come up with some way of maintaining contact after that initial message, in order to keep the scam going.
Romance scammers, who try to lure victims into fake online relationships in order to sweet-talk them out of money, know this trick only too well. They typically start by making contact in a conventional way on a genuine dating site, using someone else’s photos and online identity. There, they charm their victims into leaving the comparative safety of the legitimate site and switching to an unsupervised one-to-one instant messaging service.
Original video here: https://www.youtube.com/watch?v=_nO77xWeO4o
Click the cog icon to speed up playback or show live subtitles.
Read a TRANSCRIPT of the video.
The “money request” scam
Here’s how the PayPal “money request” scam works:
- The scammer creates a PayPal account and uses PayPal’s “money request” service to send you an official PayPal email asking you to send them some funds. Friends can use this service as an informal but relatively safe way of splitting expenses after a night out, asking for help paying a bill, or even to get paid for small tasks such as cleaning, gardening, pet sitting, and so on.
- The scammer makes the request look like an existing charge for a genuine product or service, though not one you actually ordered, and probably for what looks like an unlikely or unreasonable price.
- The scammer adds a contact phone number into the message, apparently offering an easy way to cancel the payment request if you think it’s a scam.
So the email actually does originate from PayPal, giving it an air of authenticity, but entices you to react by phoning the crooks back, rather than by replying to the email itself.
Like this:
Given that you are quite well aware that the payment request was never authorised by you, you may well report it to PayPal…
…but it’s also tempting to phone the “business” that put through the request to tell them not to hit you up again next week or next month when their “records” show that the “bill” still hasn’t been paid.
After all, the phone call’s free (in the UK, as in many other countries, the -800- dialling code denotes a toll-free call), and if someone you know really has tried to buy some online cybersecurity software and charge it to your dime, why not try to get to the bottom of it and stop the “payment” getting through?
Of course, it’s all a pack of lies: there’s no anti-virus program; there was no purchase; and no one actually paid out £550 to anyone for anything.
The crooks have simply found a way to abuse PayPal’s free Money Request service to generate emails that really do come from PayPal, that include real PayPal links, and that use the message field in the request to give you an official-looking way to contact them directly…
…just like a romance scammer schmoozing you at arm’s length on a dating site, and then convincing you to switch over to messaging them directly, where the dating platform can no longer supervise or regulate your interactions.
What to do?
The quickest and easiest thing to do, of course, is nothing!
PayPal money requests are exactly what they say: a way for friends, family, someone, anyone, to invite you to send them money in a reasonably secure way.
They aren’t invoices; they aren’t payment demands; they’re not receipts; and they are unrelated to any existing purchase you did or didn’t make via PayPal or anywhere else.
If simply you do nothing, then nothing gets paid out and no one receives anything, so the scam fails.
We nevertheless recommend that you report bogus requests of this sort to PayPal, which will help to get the offending account closed down and to ensure that no one else either pays up through fear or calls the given phone number “just in case”. (You can visit PayPal’s Report potential fraud page for further information, or forward suspicious emails to phishing@paypal.com.)
Whatever you do, don’t send any money, and definitely don’t call the criminals back, because their true goal is to establish direct contact so they can start working you over to trick you into revealing personal information that could ultimately cost you a lot more than £549.67.
Should you tell the authorities?
Whether it’s during Black Friday season or at any other time of the year, we urge you to consider reporting scams of this sort to the relevant regulator or investigatory body in your country.
It might not feel as though you’re doing much to help, and you probably don’t have the time to report each and every one, but if sufficiently many people do provide some evidence to the authorities, there is a least a chance that they will do something about it.
On the other hand, if no one says anything, then nothing will or can be done.
Below, we’ve listed scam reporting links for various Anglophone countries:
AU: Scamwatch (Australian Competition and Consumer Commission)
https://www.scamwatch.gov.au/about-scamwatch/contact-us
CA: Canadian Anti-Fraud Centre
https://antifraudcentre-centreantifraude.ca/index-eng.htm
NZ: Consumer Protection (Ministry of Business, Innovation and Employment)
https://www.consumerprotection.govt.nz/general-help/scamwatch/scammed-take-action/
UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre)
https://www.actionfraud.police.uk/
US: ReportFraud.ftc.gov (Federal Trade Commission)
https://reportfraud.ftc.gov/
ZA: Financial Intelligence Centre
https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx
James Megna
It’s terrible how such an easy and handy feature can so easily get abused. Do you think that adding a layer of authentication between 2 parties would help prevent these scams? For example, you can’t send a money request to anyone’s email, you have to first request that they add you as a contact?
Peter
That’s actually quite clever and reminds me of the way, that Anti-Scam YouTuber Jim Browning lost his channel, which he also describes in his video: https://www.youtube.com/watch?v=YIWV5fSaUB8
Ralph
Do you think calling the number to mess with the scammers is a good idea? I myself enjoy a good scambaiting, but what’s your stance on the matter?
Paul Ducklin
I didn’t phone them even just to see what script they would follow… I was willing to “go on assumption”…
I generally recommend against scambaiting. I don’t have compelling moral qualms about doing it but it’s worth remembering that A) in at least some cases the scammers have more specific info about you than you might think (e.g. they may know where you live); B) they’re scofflaws and almost certainly have friends in low places; and C) when you respond in kind you don’t raise their standards but you do lower your own. (As my mum used to say, “If you lie down with dogs, you get up with fleas.”)
That’s my 2p.
Raffles
As a matter of interest I have never used PayPal since they indiscriminately blocked my account back around 2003. I had inadvertently set up the account while trying to buy something online or give a donation to someone, I don’t remember exactly. Over the years I tried to get it unblocked but to no avail as I could never reach a human being at PayPal. I live and work in Central and West Africa so trying to get them on the phone is not viable and when I have travelled to the Occident, I’ve had too many other priorities. Meanwhile they shot dozens of charities with PayPal only payment facilities in the foot to which I was unable to donate over the years. early this year I did manage to speak to a human ( a rare event on earth these days ) and I was told that I should set up a new account as the old one is permanently blocked. I just decided to let things be. If any person or company with whom I might be interested in doing business or charity relies only on PayPal, I will move on.
Paul Ducklin
As my colleague Chester quipped (only partly in jest) on a recent podcast when we were talking about crooks pretending to be mainstream online brands: “If you call the scammy number back and a human answers in any vaguely reasonable time… it’s a scam.”
PeterinFtL
Should that really be phishing[@]aypal[.]com? Just asking…
Paul Ducklin
Aaaargh, that’s a mistake… will fix it, thanks!
Raffles
Thanks for publishing my comment above even though it is a bit off topic. To make amends I will add this input from my experiences. Most often, scammers don’t know your real name, so they will address you as the handle of your email address. Many spam emails just have a bit.ly or nam.safelinks link on which to click. I never click on them. There are websites that you can use to test the link without harmful consequences. Because I don’t use them every day I don’t remember their URLs offhand. I’ve spotted when my friends and associates have been hacked quite easily including emails supposedly coming from my banks made to imitate the bank itself. If in doubt, call the person or institution. Leave it to the professionals to call scammers and give them a run for their money.
Wilbur
Scammers can send real phony invoices (is that an oxymoron?) through PayPal demanding payment on receipt. In April 2022 I received a Paypal invoice email, subject “Invoice from [redacted] (5235)”. The body of the invoice said “[redacted] sent you an invoice for $188.34 USD Due on receipt”. There was a “View and Pay Invoice” button.
There was a “Note from [redacted]” saying:
“Thank you for using pay pal. $188. 34 has been successfully send to patric smith. Same amount has been debited from your bank account . We are there to help you 24×7. If you want to cancel this payment calls us immediately at +1(805) 283-0373”
I had no idea who [redacted] was and was puzzled by the “Pay Now” button when they said they already debited my checking account. Thinking this was a spoof email I immediately used my browser’s saved bookmark and signed in to PayPal for verification. But I found the invoice had actually been sent by PayPal; it was not a spoof email. However, PayPal provided a handy button to “Cancel this invoice”… which I promptly clicked. A little later I got a copy of a PayPal email telling [redacted] that I had cancelled their invoice. Nothing further was heard from the incident.
My PayPal transactions are limited enough that an outlier like this stands out; I rarely get invoices since my main use of PayPal is paying shopping cart checkouts. But I’m sure there are plenty of people who could get sucked in to clicking the “Pay Now” button. One of the problems with PayPal is the recipient of the money is frequently shown by a different name than the original purchase business location. This is particularly true on eBay, where the “Sold By” name is frequently different than the recipient’s identity.
I did report the phony invoice to PayPal but I have no idea what, if any, action they took.
Paul Ducklin
I *think* that in this case they are using the “money request” system because the barrier to entry (as far as I am aware – I am not a PayPal user myself, so I don’t have an account to use to look around the “business offerings”) is lower than the “PayPal Invoice” system, so although the messaging is a bit less compelling, it’s still a message from PayPal.
Or perhaps the crooks found that their callback rate was in fact higher if they kept to the less formal approach?
PeterinFtL
The reason for “just asking…” is that the aypal[.]com address actually maps to an IP…
Paul Ducklin
It’s one of those domain parking/”do you want to buy this” companies…
…I’ve fixed the typo now, thanks for taking the trouble to point it out.
PeterinFtL
Thirty-plus years ago I was the DTP guy (among other roles) for a University of Oxford research unit. Every so often seventeen pairs of eyes belonging to some seriously smart people (along with mine) would proofread the latest publication to go to the printers, and *still* there would be typos, so don’t feel too bad :)
Paul Ducklin
The bigger the typeface, the bolder the style, the better-known the word, the more eye-blastingly obvious the blunder…
…even then, you can’t be sure you’ll spot it.
(At least there is the comfort of Muphry’s Law, which says that anyone who decides to carp about a typo or a grammo… will inevitably make either or both of those mistakes in their belittlement. “Hoist by they’re own pretard”, you might say.)
PeterinFtL
What can I say in my defence/defense? Old habits die hard. At least back then I was _paid_ to nitpick…
Scott
I received two of these requests today. I refused the payment, blocked the sender and phoned Paypal to report them they apologised and said they have already opened an investigation.
Paul Ducklin
Nicely done. A good outcome from a bad starting point.
It might be a good idea for PayPal to add some explanatory text into the emails they generate to make it clear that the message is a *request*, not an invoice or a payment that has already gone through, and that if you don’t want to send the requester money you can simply do nothing… no matter what the message part says. Maybe they could even set the requester’s message in a box saying, “This is simply what the other person typed in. If you have any questions about it, contact us, and not any phone numbers or other details in the message”…
As it is, the message can easily be crafted to look as though it is part of PayPal’s boilerplate, not merely “reference text” from the other end.
BTW, I am wondering if that weird phone number with an @ sign at the start was crafted to bypass scam detection checks that PayPal already has in place?
frustrated buyer
I got a request and called PayPal from my online account and the guy was telling me to log on to www.teamviewer to give him access to remove the scammer from logging in. I really didn’t trust this at all. Hung up, he called me back from a different number in FL. I just kept saying I was uncomfortable doing that to which he replied that he then couldn’t stop the transaction. Since I called the 800 number off the actual PayPal website I’m very concerned about all this. Ugh. nevertheless, I did cancel the “request” for the payment of $549.77 requested by Robyn Contreras at Intruder Software LLC. I did not, nor would not order this. Double UGH!!! This was a good article to confirm my suspicions but still concerned over my call used the number from the PayPal account.
Paul Ducklin
PayPal wouldn’t ask you to given them access via Teamviewer, and they wouldn’t say they couldn’t cancel a transaction that was only a request, because nothing would have gone through yet to cancel….
…so it sounds as though you didn’t get hold of PayPal after all. (You mention that “he called you back from Florida”, which PayPal wouldn’t do either.)
Anyway, if you didn’t agree to the “money request”, no one got anything, so it sounds as though you ultimately did the right thing.
Yasmin Foster
Thank you for this article. Just got a Money Request for £877 for a MacBook Air from some random person and was wondering what the hell was going on. Stumbled a little bit at first, because I had recently ordered an Ipad Air, but that was already paid for (and not for an amount in the £800s) and that confused me a little. Luckly I found this article before I did anything.
On the Request information you have a button to “Cancel” next to the “Send Payment” button. Do you recommend pressing that Cancel button insted of just ignoring it and letting that request sit there and taunt you? Just a little nervous interacting at all with this scammy-request.
Paul Ducklin
Hmmm… that’s a $64,000 question! To click the [Cancel] button on a scammy request (which should not, by rights, have been delivered to you at all) or to let it ride?
I am not a PayPal user so I can’t picture the user interface and what the various buttons are supposed to do…
…but if you are checking up on the request *having logged into PayPal via a link of your own that you trust* (i.e. you haven’t relied on anything in the email itself, even if you are as good as certain it really came from PayPal) then I can’t see what harm [Cancel] would do, given that I assume it would scrub the request from your pending list right away and thus get it out of your digital life. I guess it depends on what reaction the [Cancel] button triggers for the sender, and whether you think that matters.
For example, if pressing [Cancel] sends a message to the sender to say “The recipient says NO!”, while ignoring it reveals nothing, you need to decide which outcome suits you best… like getting a bogus phone call. Do you reject the call as quickly as you can, which sends one sort of signal, or let it ring out, which sort of tells the caller nothing?
I *think* I would go for [Cancel] just so the unwanted money demand wasn’t sitting there any longer (you can’t later accidentally approve a request that isn’t there), but as mentioned above I have no experience as a PayPal user… any other readers care to advise?
cloth ears
Received one of these today, still not sure if I should click cancel or just leave it sitting there annoying me forever. Although if you report it to paypal I expect they will cancel and remove it from your dashboard eventually anyway.
Reported to phishing@paypal.com and report@phishing.gov.uk in any case.
Paul Ducklin
As you say, I assume there’s some sort of timeout on PayPal’s side. But I have no idea what it might be… three days? A week?
Any PP users with any experience of “just leaving these sitting”?
Gavin
I received one of these money requests today via email. I immediately logged onto PayPal using my “Favourites” link and noticed the “request” and immediately panicked. I contacted PayPal and eventually got to speak to someone who talked me through cancelling (It would never have been paid unless I had authorised). My only concern is the Cancel and Pay buttons are side by side and there is the risk of an accidental mouse click while hovering over the pay to get to the cancel.
I was then instructed to forward the email to phishing@paypal.com
Paul Ducklin
Does clicking [Pay] take effect instantly? Is it really a one-click trick to approve a payout of several hundred pounds or dollars?
If so then a bit more “friction” would seem like a good idea…
Sheila
I got two of these requests for payment today, for £600 each to pay for Waitrose goods. I don’t shop there yet was puzzled by the genuine emails from PayPal. I logged into my account and was shocked to find these two requests listed there as pending. I had the option to cancel or pay them. It’s horrible to think these scammers are getting so close to our accounts. Always think twice before clicking on any link
Tori
I received one of these emails today too. First reaction….panic. I forwarded it to phishing@paypal.com, declined the transaction and changed my password. Finally was able to talk to someone at PayPal who said I did the right things. Only wrong thing I did was call the number in the email but I didn’t give them any info….red flags were going up very soon in the conversation and I hung up. This is the first time I ever got an email like this. Way to send a person into panic. Darn scammers.
Paul Ducklin
If I may ask, what road was the phone call going down? Were they after passwords? Were they after your credit card number? Or did they seem keen for you to install some “remote help” program so they could login to your computer? (Or did you hang up before they got that far, which is a good thing to do BTW?)
Anyway, sounds as though you handled it just fine. “Don’t try/Don’t buy/Don’t reply”.
Lesley
You can cancel the requests rather than do nothing
Anonymous
Thanks for explaining. I’ve gotten two of these today. What confused me was that my email noted that the messages were from a trusted sender, i.e. actually Paypal. I reported them as phishing anyway. If Paypal can’t keep a better lid on this sort of thing, maybe it doesn’t deserve to be a trusted sender.
Victoria Dann
Hmmmm. Last week I received a message from Paypal about an “ unauthorized transaction. ” It was a payment request for $547 from someone I’d never heard of, without any detail of what the money was for. I was advised to report it to the Resolution Center. Tonight, I was informed on the official site that the case had been closed in favor of the “seller” based on my “history.”
I am baffled by this odd turn of events, as I always believed PayPal protected us from scams.
Victoria Dan
I just wanna thank everyone when I finally read the comments before mine it made my situation more clear. I resolved the issue with PayPa, once I finally reached a live person! Apparently when you file a complaint they’re so automated that they only consider the most recent transaction (which was legitimate) and not a separate money request. In any event I wish they were more clear about how they do things on PayPal. But thanks to everybody on this page, after I stopped panicking… I canceled the money request. And now PayPal will put an alert on this person in their fraud department. But I couldn’t have done it without everybody on this page. So once again thank you very much!
Paul Ducklin
Glad you found this page and the response of the community useful!
As explained in the article, a PayPal “money request” is literally what it says – a way for someone to invite you to send them money if you want… a digital version of going round to your folks’ place and trying to wheedle your Dad into lending you £20 to the end of the week. (Wouldn’t go very far these days, but you get the idea.)
Where PayPal went wrong, in my opinion, was giving the sender of the request far too much visual control over what the final email *that PayPal itself sends out* looks like, and by not making it absolutely clear in the email that it really is a *request* and not a *transaction*, no matter what the sender tries to say. PayPal didn’t make it obvious, in my mind at least, that if you ignore it then nothing will happen, so there is nothing to “cancel” and no need at all to contact the sender to “resolve” anything.
Let’s hope they fix this so that the requester’s own text isn’t featured front and centre, thus dominating the overall message, and so that the message contains a clear explanation that is obviously the official advice you should read first.
Given that the look-and-feel (what the jargon calls “the user experience” or “the workflow”) is entirely under PayPal’s control, this should surely be trivial to do.
Perhaps these messages have been altered for greater clarity already… anyone care to comment on that?
Kate
I got an email from PayPal today about a money request,
Amount requested
$578.99 USD
Note from Gina Reyn:
Don’t Recognize the Seller? Call PayPal at +1 888-721-9726 This request is for your Network Security
I figured the email was fake so I went to my account (not clicking the email) and was surprised to see “pending -$578.99 to Gina Reyn.” These money REQUESTS need to be made much clearer. My mother would have fallen for this and her heart is already not good. It took me quite a few minutes to realize I could decline. The DECLINE button should be much more visible, and the email should be much clearer that this is not a “done deal” transaction.