A new PayPal email scam has been spotted and investigated by Bleeping Computer, a technology news site.
The scam’s aim is to trick users into allowing remote access to their computers, by sending fake purchase notifications.
What makes this scam stand out is the fact that they are using legitimate PayPal emails to do this, so it won’t be automatically caught by spam filters, and the normal trick of checking the “From” email address won’t work here.
How the scam works
This PayPal scam entails an email from PayPal being sent to you, letting you know that a new address has been added to your account.
The email also includes what claims to be a purchase confirmation for a MacBook M4, as well as a phone number to call if you did not authorise the purchase.
If a user calls the phone number provided in the email, they’ll get “PayPal support”, and then they’ll be connected with a “customer support person”, who in reality is just the scammer.
The scammer will try to scare the customer, by tricking them into thinking that their PayPal account has been hacked, and that the user needs to allow the scammer remote access to their computer so that the scammer can “restore access” to the hacked account.
Once scammers like this gain remote access to a customer’s computer, they can do various things, such as steal information from the computer, access bank accounts and steal money, or install malware on the computer.
How the email is sent from PayPal
It’s clear that, while the email is sent from PayPal, it contains information that tries to trick the customer; how is that possible?
Bleeping Computer thoroughly investigated this, to find out just how the scammers were able to send an email from the actual PayPal email address.
The scammer updated their “Gift Address” in their PayPal account. PayPal gift addresses don’t have a character limit, so the scammer was able to add an extra paragraph to the email, which includes the fake “Support” phone number.
If you look closely, you can see that the paragraph above the shipping address (as seen below) is spaced strangely, almost as if the paragraph is part of the address.
This is because it is! The scammer used the first line of the address to add the information about the MacBook M4 Max, as well as the fake support phone number. Then, they added that, along with the rest of the address to their PayPal account, and were sent a valid “Address Update” email.
The scammer’s email address automatically forwards to a mailing list, which includes the email addresses of their potential targets, so the targets receive the email from PayPal, as shown in the chart below:
Under normal circumstances, you’d see a header in a forwarded email, indicating that it’s been forwarded, however, since the email was forwarded to a mailing list, it doesn’t have the same “forwarded” header, making it seem as if it was sent directly from PayPal to the target.
How to avoid the scam
Once you know what to look for, the scam is pretty easy to spot.
To avoid falling victim to this, or similar scams, we always suggest that if you receive an email from a company, and you’re unsure if it’s valid, either login to your account with that company, or contact them by going directly to their website.
By contacting the company directly, and not using any contact information provided in the suspicious email, you are much more likely to contact the real company, who will give you more trustworthy information.