Beware of this three-pronged PayPal fraud and phishing scam

Beware of this three-pronged PayPal fraud and phishing scam

Visualization of phishing in the form of a fish hook through a red envelope


ZDNET Recommended

My day started off rough.

It was 7am and I was only halfway through my first cup of coffee when I noticed a new message in my inbox. It was from PayPal and the subject line said, “You have a money request.”

And so began my first look at this three-pronged PayPal phishing scam.

The scam attempt

line of email indicating you have a request for money

David Gewirtz/ZDNET

I don’t know anyone who would ask me for money through PayPal and reasonably expect to get it, especially without telling me in advance that they were charging me something. I started investigating the request for money in my Gmail box.

In Gmail, you can right-click the message sender before opening the message, to see the full email address.

Open sender detail view

David Gewirtz/ZDNET

The message was from PayPal, so I felt safe enough to open it. Once inside the message, I looked at the sender again, and it was still PayPal. The body of the message claimed to be from a certain Susan Bowman. Here, look at the message.

Beginning of message

David Gewirtz/ZDNET

The error “fraudulently” instead of “fraudulently” is a sign of this. But the sentence that caught my attention was “You will be charged $699.99 today.” Interestingly, there was a gap between the period after $699 and the 99. Strange punctuation and spelling are often indicators of a fraudulent message.

Also: This phishing attack uses a countdown timer to freak you out

Another part of the message read: “Please call us as soon as possible at the toll-free number [REDACTED]. to cancel and request a refund. “There was a period after the phone number, right in the middle of the sentence. Another important thing to note was that the idea of ​​the message was to have me call a number I was supposed to be thinking PayPal, to prevent sending the $699.99 Urgency is another common element of phishing scams.

The bottom of the message featured a Pay Now button and a PayPal transaction ID. I do a lot of coding using the PayPal API. It indeed looked like what a PayPal transaction ID normally looks like. It turned out to be an actual transaction ID that was created in the current PayPal system. More on that in a minute.

Payment request details

David Gewirtz/ZDNET

Contact PayPal

Rather than do anything with the message itself, I went straight to PayPal. I pointed my browser to and, after verifying my identity with two-factor authentication, I logged in.

I scrolled down the page and there was, in fact, recent activity by Susan Bowman. The screenshot below shows the transaction as canceled, but when I first logged in, the activity item was listed as pending.

Canceled - Request received

David Gewirtz/ZDNET

I clicked the Help button at the top of the screen and scrolled down until I found the Contact Us option. I clicked on it, and after the usual hoop jump, I found myself talking to an agent about the company’s fraud operation.

The Help option at the top and the Contact Us option at the bottom right

David Gewirtz/ZDNET

I explained the situation. The agent knew exactly why I was calling and assured me that no money had been sent. I was also guided on how to cancel this transaction.

Also: This phishing scam starts with a fake invoice

If you click on a requested money transaction, there are two buttons to choose from. One is Send Money and the other is Cancel. Unfortunately, I didn’t take a screenshot before canceling. I was much more focused (remember, I was still on my first cup of coffee) on canceling the trade.

I clicked the cancel button and the transaction was aborted. No money was lost. Then I had a little chat with the PayPal agent and learned some things…

Anatomy of a three-pronged fraud attempt

This was a three-pronged fraud attempt, in that the attackers had three different ways to win.

As I suspected, and the agent confirmed, I was probably not personally targeted. Instead, my email address was one of thousands thrown against the wall to see what would be left.

Although the email address used for this account is not one of my most actively used accounts, my email addresses have been all over the internet for decades, so they are definitely available to attackers.

Also: Hackers commonly use these types of files to hide malware

Anyone can request money from anyone through PayPal. All they have to do is provide an email address to the PayPal interface and request the money. That’s a big part of what PayPal does, and it’s a service that offers a lot of legitimate value to a lot of people.

Once this email address is entered, PayPal does most of the work. This makes it quite ideal for phishing attackers.

This attack works in three ways:

Prong No. 1: Pay via PayPal: The first part of the attack was the request for $699.99. While it’s fairly unlikely that anyone who gets hit by this attack will click “Send Money”, it only takes one or two people to make the whole attack worth the while. crook’s point of view. Don’t pay enough attention, click the wrong button and whoosh! The money has disappeared.

Section 2: Pay by dialing the numbers: The PayPal agent told me that the second part of the attack that often also provides value to scammers is the phone number they ask you to call.

Depending on the scammer, the number itself may be billable. It’s called a “one-ring phone scam” and it works by spoofing numbers, eventually connecting you to an international number where you are only charged for connecting to the number.

Part 3: paying by giving too much personal information: The big score, the PayPal agent told me, is actually the third part of the attack. That’s when someone receives the email and calls the number they think is PayPal to stop the payment.

It’s at this point that the scammers, pretending to be PayPal’s fraud department, start asking questions, and by the time they’re done, they’ve separated their victims from a treasure trove of personally identifying information, which can fuel additional attacks in the future and can even be sold to other scammers and criminals.

How to protect yourself

My biggest piece of advice is simple: be careful. Don’t spend your day mindlessly clicking to get to your email. Be present and notice things.

Then follow my advice to protect yourself against credit card fraud and check your bank accounts and credit cards weekly. Keep an active eye on your finances and you can spot fraud attempts before it’s too late to fix them.

As for PayPal, know that PayPal will never send payment without your explicit agreement. The only exception to this is if you sign up for a recurring subscription or donation. But even then, PayPal won’t start the process of sending money unless you explicitly approve it.

Do not click on links in suspicious emails. Do not call numbers that you cannot independently verify. Make sure your accounts all have two-factor authentication.

Always update your operating system and browser when prompted. This will help prevent zero-day attacks from taking over your machine.

And, finally, back up your devices. Take my advice and implement a 3-2-1 backup strategy. That way, if you’re hit by malware or another attack, you can recover faster.

Good luck. Be careful. Let us know if you have any other safety tips in the comments below.

You can follow updates of my day-to-day projects on social networks. Be sure to follow me on Twitter at @DavidGewirtzon Facebook at, on Instagram at and on YouTube at

#Beware #threepronged #PayPal #fraud #phishing #scam

Leave a Comment

Your email address will not be published. Required fields are marked *