Do not pay, do not phone — PayPal attack warning
Getty Images
Updated October 26 with an official statement from PayPal regarding the do-not-pay, do-not-phone hack attack, as well as further advice on how to detect, deflect and deal with such threats.
Gmail users have been warned of a surge in image-based attacks, TikTok users are facing a VIP upgrade offer threat, and Lastpass has urged users not to change their master passwords as a you’ve been hacked email circulates. Now, security experts at KnowBe4 have issued a warning for PayPal users as cybercriminals use a genuine PayPal email address to send an invoice. Paypal itself has responded to this attack with a ‘do not pay, do not phone’ warning. Here’s everything you need to know about the latest scam that could prove costly if you don’t follow the advice given.
PayPal Invoice Attack — What You Need To Know
The latest PayPal attack warning dropped into my email from the folks at KnowBe4 this week, informing me to be aware of a scam that purports to be from PayPal and is even delivered from a genuine PayPal email address. “You receive an email from a real PayPal email address,” the email warned, which “contains an invoice for a large purchase you did not make, and a phone number for you to call if you want to dispute the charge.”
This may well sound familiar, not least as this type of TOAD attack is something I have detailed before. A Telephone-Oriented Attack Delivery threat usually contains a PDF invoice or other seemingly official document, along with messaging that uses urgency and fear of financial loss to persuade victims to call an adversary-controlled phone number.
Indeed, the actual PayPal version of the TOAD attack is not new either. I have warned again and again of the dangers of this scam. But nevertheless, it would appear, the very same attack is doing the rounds once more.
“Cybercriminals create a PayPal account and use it to send you a fake payment invoice,” KnowBe4 warned, “the email you receive is real, but the invoice is not, and if you call the phone number in the email, you will not be connected to PayPal’s support team.” Instead, you get through to a threat actor impersonating a PayPal support worker but whose aim is to relieve you of your credit card details in order to refund you, or even ask for a fee to fix your ‘hacked’ account.
Scammers can “send fraudulent invoices, send fake messages using the involved messaging services, and even insert fake messages in the company’s ‘refund’ feature,” Roger Grimes, KnowBe4’s CISO advisor, said. “This particular scam, involving PayPal, has been around for many years as well. I’m not sure why PayPal isn’t better at detecting and blocking them,” Grimes concluded.
PayPal Responds To The Do Not Pay Attack Warning
Of course, it’s important to remember that such phishing attacks are not unique to PayPal, with many well-known brands targeted by attackers. Although security protections won’t save you from this PayPal attack, as they cannot detect the email as fake, because it isn’t, as far as the origin is concerned, you, as a human being, should be able to save yourself. The hackers still have to phish you, after all. The advice is clear: anyone receiving an unexpected or suspicious invoice or payment request, whether it appears to be from PayPal or another service, should not pay it or respond to it. PayPal tells me it is responding to the continual evolution of scamming tactics and methods, taking all the necessary steps to protect customers. These include a combination of manual investigations and technology to prevent fraud, including taking proactive actions like limiting scam accounts or declining risky transactions. But remember, be careful out there.
Furthermore, PayPal warns customers not to call any phone number, open any attachments or click on any links contained within “suspicious invoices or money request messages.”
Checking your PayPal account directly, not using any links in an email or document you have been sent, to look for suspicious transactions of the type that such phishing campaigns claim, is highly recommended, as this can stop you going any further before you even start.
If you think you may have already been tricked into doing so, and have shared any personal information or account details, then it’s of the utmost importance that you change your PayPal password immediately. If you use this password for any other accounts, and please, please, please do not do that, as it expands your attack surface enormously for obvious reasons, then you must change those as well. Just make sure to use something unique and strong. A password manager is your friend here, as it makes the process of creating and using complex and random passwords, unique to each and every account and service, easy peasy. Enabling two-factor authentication shouldn’t be something that you need reminding of, but I will anyway: so do it if you haven’t already. Better still, switch to using a passkey if the option is available. PayPal also advised that in such circumstances, customers should contact both PayPal itself and the financial institutions concerned.
Enable your PayPal passkey now.
PayPal
PayPal has said that it partners with leading consumer protection institutions, such as the Better Business Bureau, American Association of Retired Persons, Federal Trade Commission and the Aspen Institute. PayPal has also launched a Smarter Than Scams campaign with the Financial Technology Association to raise awareness of the latest common fraud trends. I highly recommend taking a look at the PayPal anti-scam resources, even if you think you already know how to spot one.
I approached PayPal for a statement, and a spokesperson told me: “We do not tolerate fraudulent activity on our platform and our teams work tirelessly to protect our customers. We are aware of this phishing scam and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance.”
