There is an interesting email going round:
Here's your estimate
Billing department of paypal sent you an estimate for £555.00 GBP.
View Your Estimate
Seller note to customer
According to the information, your PayPal account may have been illegally accessed. GBP 555. 00 has been deducted from your account to cover the cost of E GIFT CARD. This transaction will appear on the Payment activity page in the amount that was automatically deducted after 24 hours. If you think you did not make this transaction, call us right away at +44 808 196 3320, or visit the PayPal Support Center for assistance. Our Business Hours: (06:00 a. m. to 09:00 p. m. , MONDAY through SUNDAY)
Don't know this seller?
You can safely ignore this estimate if you're not buying anything from this seller. PayPal won't ask you to call or send texts to phone numbers in an estimate. We don't ask for your credentials or auto-debit money from your account against any estimates. Contact us if you're still not sure.
So some of this is a real message from PayPal and some of it is not.
The email consists of different sections and we believe that the 'Seller note to customer' is being used as a scam. This is written by a dodgy fake seller that is trying to get you to defraud yourself by phoning up their fake +44 808 196 3320 number which is a scammer centre in Asia somewhere. We know because we spoke to them and they spoke with some clarity as to the kind of people they really are.
The biggest part of the problem with this scam is it's authenticity. Because it is a loophole in the systems and security at PayPal it is extremely believable. The message arrives from firstname.lastname@example.org as you can see in the above and the link is to a paypal URL: https://www.paypal.com/invoice/s/estimate/buyerview/EST-P5U8-CPQN-QUQJ-2QVG which once again is extremely believable. The webpage is, after all, a PayPal page, with an estimate for Anni Walker (email@example.com) for an e-gift card for £555:
And there is a new clone with a slightly different set of details, still to Anni Walker:
With a link through to here: https://www.paypal.com/invoice/s/pay/INV2-UBJD-9U66-N4S9-KLX9
Which has the same type of invoice to the same name but this time to email address firstname.lastname@example.org instead of email@example.com.
As you can see the invoice is badly written, with no capitalisation of letters in PayPal and no past tense for delivered with the fake call centre number of +44 808 196 3198 once again.
Billing department Of paypal
Invoice no 0186
Issued : 1 Nov 2022
Due : 1 Nov 2022
9122136170REFERENCE NUMBER: STRT 76HT SETF 49FR Amount: GBP 899.00 Note: Your IPHONE 14 PRO MAX, which may be used for online purchases, will be deliver to "firstname.lastname@example.org." Customer Support: +44 808 196 3198
Seller note to customer
According to the details you provided, your PayPal account may have been illegally accessed by some one. GBP 899.00 has been charged from your paypal account to cover the cost of IPHONE 14 PRO MAX. This reference number will appear on the activity page in the amount that will be deducted after 48 hours. If you have any dispute on this transaction, reach us immediately at +44 808 196 3198, or reach us at PayPal Support Center for any assistance. Our Business Hours: (06:00 a.m. to 8:00 p.m. , monday to friday)
This leads us to believe that the whole invoice is written by the scammers as PayPal usually capitalise both letters P in their name and would certainly not have an invoice number 0f 0186. Why the email address has become an @paypla.com instead of @gmail.com we are not sure, but presumably this is not an email of an invoice generated by a PayPal employee as it has the same scammer phone number as the previous scam email.
Looking at the invoice online...
You are expected to accept the estimate which may be another way to be defrauded in this situation, but we didn't actually try that after we had spoken to the seller.
The important part of this message is undoubtedly:
Don't know this seller?
You can safely ignore this invoice if you're not buying anything from this seller. PayPal won't ask you to call or send texts to phone numbers in an invoice. We don't ask for your credentials or auto-debit money from your account against any invoices. Contact us
if you're still not sure.
The phone number takes you through to a fake PayPal call centre as the number is forwarded across the internet somewhere by VoIP (Voice over Internet Protocol) so that they can feign a UK offices. This scam is designed exclusively for the UK but the email arrives from paypal.com rather than paypal.co.uk.
You can hear our exchange here (not for minors):
So as we said, the most important thing to take away from this is that the note at the bottom described as seller note to customer is just that. A note written by a seller (anyone with a PayPal seller account) and has nothing to do with PayPal themselves even though it arrives from their email address and points at their website. Bear that in mind. People can use services within PayPal as a means of phishing attack, so it is always important to read every part of the message before any action is taken. This one was so good even we were panicked for a few minutes so do not be ashamed if you are overcome by these people. Just get onto PayPal and get your money back. PayPal can hardly denounce responsibility as the email comes from them! This email was received to our PayPal account on Office 365 for goodness' sakes!
They are taking action, but in our opinion it is not quite enough:
They need to block phone numbers and email addressed in the outgoing sellers communications and block certain keywords or phrases so that messages like this cannot go out again.
Another question is where they got our paypal email address from. How did they know which address to send it to? Our address is not publicly associated with PayPal so how did they know to send it to that address? Does the fraudulent PayPal seller account have access to an address book on PayPal?
Either way the whole of this needs to be taken very seriously at PayPal and we will keep you updates with any communications we receive regarding this.
We did receive a message after forwarding this to email@example.com:
Sent: 29 October 2022 13:21
To: sircles.net Ltd
Subject: Thank you for your submission ZACVL (KMM140925395V46022L0KM)
Dear sircles.net Ltd,
Thanks for your submission.
We're continuously working to counteract fraud, including phishing emails, websites, and text messages.
We work with law enforcement around the world to stop online criminals.
If you disclosed any financial or personal data, or entered your details on a suspicious website:
? Change your PayPal password immediately.
? Contact your bank and let them know what happened.
? Review your recent PayPal payments. Report any unauthorized payments in the Resolution Center.
Please don't reply to this email. This mailbox isn't monitored. For assistance, visit our Help page.
These invoices do seem to have been removed as of the evening of Tuesday the 1st of September:
So that is a positive. Hopefully now PayPal are on top of this scam and we shall see no more scammer invoices. It is a surprisingly large leak in their security and one we would've thought would be shut down and made impossible much more quickly.