Watch out for this triple-pronged PayPal phishing and fraud scam

We spotlight a nasty fraud attempt and show how you can protect yourself and your family.
Written by David Gewirtz, Senior Contributing Editor
Visualization of phishing as a hook through a red envelope

My day started rough. 

It was 7 a.m., and I was just partially through my first cup of coffee, when I noticed a new message in my email inbox. 

It was from PayPal and the subject line said, "You've got a money request."

And so began my first look at this three-pronged PayPal phishing scam.

The ask

email line saying You've got a money request
David Gewirtz/ZDNET

There's nobody I know who would ask me for money through PayPal and reasonably expect to get it, especially without telling me ahead of time that they were invoicing me for something. I started to investigate the money request in my Gmail box.

In Gmail, you can right-click on the message sender before opening the message, in order to see the full email address.

Open detailed view of sender
David Gewirtz/ZDNET

The message was from PayPal, so I felt safe enough opening it. Once inside the message, I again looked at the sender, and it was still PayPal. The body of the message claimed to be from one Susan Bowman. Here, take a look at the message.

Message beginning "We have detected some fraudulently activities with your PayPal account."
David Gewirtz/ZDNET

The mistaken "fraudulently" instead of "fraudulent" is one sign there. But the sentence that caught my attention was "You will be charged $699. 99 today." Interestingly, there was a space between the period after $699 and the 99. Odd punctuation and spelling are often indicators of a scam message.

Also: This phishing attack uses a countdown clock to panic you

Another part of the message said, "Please call us as soon as possible at toll free number [REDACTED]. to cancel and claim a refund." There was a period after the phone number, right in the middle of the sentence. Another important thing to note was that the idea of the message was to get me to call a number that I was supposed to think was PayPal, to stop the $699.99 from being sent out. Urgency is another common element of phishing scams.

The bottom of the message had a Pay Now button, and a PayPal transaction ID. I do a lot of coding using the PayPal API. It did, indeed, look like what a PayPal transaction ID normally looks like. As it turns out, it was an actual transaction ID that had been created in the actual PayPal system. More about that in a minute.

Payment request details
David Gewirtz/ZDNET

Reaching out to PayPal

Rather than do anything with the message itself, I went to PayPal directly. I pointed my browser to PayPal.com and, after verifying my identity with two-factor authentication, logged in.

I scrolled down on the page, and there was, in fact, recent activity from Susan Bowman. The screenshot below shows the transaction as canceled, but when I first logged in, the activity item was listed as pending.

Canceled - Request Received
David Gewirtz/ZDNET

I clicked on the Help button at the top of the screen and scrolled down until I found the Contact Us option. I clicked on that, and after the usual hoop jumping, found myself talking to an agent in the company's fraud operation.

The Help option at the top and the Contact us option at the bottom right
David Gewirtz/ZDNET

I explained the situation. The agent knew exactly what I was calling about, and assured me that no money had been sent out. I was also guided through how to cancel this transaction.

AlsoThis phishing scam starts with a fake invoice

If you click into a requested money transaction, there are two buttons that you can choose from. One is Send Money and the other is Cancel. Unfortunately, I didn't capture a screenshot before I canceled. I was much more focused (remember, I was still on my first cuppa coffee) on canceling the transaction. 

I clicked the Cancel button and the transaction was terminated. No money was lost. Then, I had a little chat with the PayPal agent and learned some things…

Anatomy of a three-pronged fraud attempt

This was a three-pronged fraud attempt, in that the attackers had three different ways to win. 

As I suspected, and the agent confirmed, I was probably not personally targeted. Instead, my email address was one of thousands thrown against the wall to see what would stick.

While the email address used for this account wasn't one of my most actively used accounts, my email addresses have been all over the Internet for decades, so they're undoubtedly available to attackers.

Also: Hackers commonly use these file types to hide malware

Anyone can ask someone for money through PayPal. All they need to do is feed an email address into the PayPal interface and request money. It's a big part of what PayPal does, and it's a service that provides a lot of legitimate value to a lot of people.

Once that email address is fed in, PayPal does most of the work. This makes it pretty ideal for phishing attackers.

There are three ways this attack works:

Prong No. 1: Pay out through PayPal: The first prong of the attack was the request for $699.99. While it's fairly unlikely that anyone who gets hit with this attack will click "Send Money," all it takes is one or two people doing that to make the entire attack worthwhile from the scammer's perspective. Don't pay enough attention, click the wrong button, and whoosh! Money gone.

Prong No. 2: Pay out by dialing the digits: The PayPal agent told me that the second prong of the attack that often also provides value to the scammers is the phone number they ask you to call.

Depending on the scammer, the number itself may be billable. It's called a "one-ring phone scam" and it works by spoofing numbers, possibly connecting you to an international number where you're charged merely for connecting to the number.

Prong No. 3: Pay out by giving away too much personal info: The big score, I was told by the PayPal agent, is actually the third prong of the attack. That's when somebody gets the email and calls the number they think is PayPal to prevent the payment.

It's at this point that the scammers, pretending to be PayPal's fraud department, start asking questions, and by the time they're done, they've separated their victims from a treasure trove of personal identifying information, which can fuel additional attacks into the future and can even be sold to other scammers and criminals.

How to protect yourself

My biggest piece of advice is simple: Pay attention. Don't go through your day just mindlessly clicking to get through your email. Be present and notice things.

Next, follow my advice about protecting yourself from credit card fraud and check your bank accounts and credit cards every week. Keep an active eye on your finances and you'll be able to spot fraud attempts before it becomes too late to fix them.

As for PayPal, understand that PayPal will never send payment without your explicit OK. The one exception to this is if you sign up for a subscription or a recurring donation. But even then, PayPal won't begin the process of sending money unless you have explicitly approved it.

Don't click on links in suspicious email messages. Don't call numbers that you can't verify independently. Make sure your accounts all have two-factor authentication.

Always update your operating system and browser when prompted. That will help prevent zero-day attacks from taking hold of your machine.

And, finally, back up your devices. Follow my advice and institute a 3-2-1 backup strategy. That way, if you are hit by malware or some other attack, you can recover more quickly.

Good luck. Stay safe. Let us know if you have any other safety tips in the comments below.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

Editorial standards