Happy Halloween, Friends!
Over the past week, I‘ve read about several people who have fallen victim to this Invoice Scam and paid over $4000 collectively.
Here is what you need to know:
What happens?
You receive an email with an invoice that does come from PayPal:
Why do people fall for this?
As always, the first thing to check for with any email is the sender’s email address.
In a blatant scam, the friendly name will usually be “PayPal,” but if you hover over the sender’s name or click on more info, the actual email address is revealed, which is typically some random @Gmail address.
HOWEVER…
In this case, the sender’s email address is from PayPal!
It is not a spoofed or a fake email address.
The email is formatted precisely like a standard PayPal invoice. It even has the PayPal warning: “You don’t have any payments with this seller in the last year”
What are the Red Flags?
The first Red Flag is the To field.
They used the TO field as a “subject line,” when you look at the information, it reveals someone’s email address.
This means that the email was sent to a large group of people, and you happened to be BCC (blind carbon copied) on it.
In other words, it was not sent just to you, which is NOT how the PayPal invoice system works.
The next Red Flag is this comment: “Don’t recognize the seller? Please contact us immediately at +1(888) 316-0467. If you do not reach out, we will proceed with the transaction. “
While it looks fine, that is not PayPal’s number, which is written under the “Notes from Seller” section.
When you create an invoice in PayPal, there is a section where you, as the seller, can leave a comment to the recipient, such as “Thank you for your business,” “See you again,” or any free-form text.
The scammers use this section to add their notes to call them and scare you into thinking the transaction will proceed.
How is it being sent from PayPal?
Scammers create fake invoices on the PayPal system, hoping people will see an invoice from it, view it, and make the payment.
They hope you call their “support number” to report the scam so that they will manipulate you into giving them access to your account. Don’t underestimate their social engineering skills.
They also hope to reach enough people and that the amounts are small enough to be instantly paid without needing approval or authorization. This happens often.
This scam works—a man was arrested after he sent fake invoices to Facebook and Google, which paid over $100 Million!
Read that here: NPR – Man pleads guilty to phishing scheme
What should you do?
SIMPLE!
Don’t click on the View Invoice button.
Just delete the email.
Keep safe out there; happy Halloween!!!
CyberMaven
