There’s a dangerous new PayPal scam making the rounds. This one almost got me — and I cover scams for a living.
It’s a phishing scam that baits customers with a real invoice sent directly from PayPal. That’s right, PayPal is enabling this ruse on its own site.
Phishing involves sending a message that pretends to be from a reputable company like PayPal. The email tries to get you to reveal your password. Once you do, the criminals go to work, clearing your PayPal account of money.
PayPal is a playground for scammers. The bad guys love to prey on gullible users by hacking into their accounts and emptying their bank accounts. Just this morning, I heard from a reader who lost more than $20,000 when someone accessed her PayPal account without permission and slowly drained it over several weeks.
When I see a notification from PayPal, I assume it’s a scam.
But the email I received earlier this week was different. It was a legitimate message from PayPal with a real invoice. I’ll tell you how I almost fell for it — and how you can avoid becoming a victim of this dangerous new PayPal scam.
Here’s the PayPal scam email
So what got me? It was the following scammy PayPal email:
Note from Billing Department of PayPal:
There is evidence that your PayPal account has been accessed unlawfully. $1,000. 00 has been debited to your account for the Walmart eGift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number [redacted] or visit the PayPal Support Center area for assistance. Our Service Hours: (06:00 a. m. to 06:00 p. m. Pacific Time, Monday through Friday)
Why did it look legit?
- It came directly from PayPal. (In Gmail, go to the email and click “more” and then “show original” to see the source. In Yahoo mail, just hover the cursor over the sender’s name and it will show the actual “from” address.)
- The invoice also showed up in my PayPal account when I logged in.
- When I called the redacted number, a “PayPal” representative answered the phone.
Panic — and a phone call
So the invoice is showing up in my PayPal account. Uh-oh. Did scammers gain access to my account?
A quick call would straighten this out.
I dialed the redacted phone number instead of looking up the PayPal number online (after all, the email came from PayPal, so why wouldn’t I?)
Someone answered on the first ring.
“Hello, this is PayPal,” he said in a foreign accent.
“Hello?” I said.
Then I stopped to listen. The man appeared to be on a cell phone. I could hear background noise — cars and people talking. Obviously, I was not talking to PayPal.
I hung up.
Here’s what would have happened if I had stayed on the phone. The “representative” would have agreed that this was a scam and said I had a computer security problem. He would have asked me to download an app that records my keystrokes. Then he would have asked me to log in to my PayPal account.
After that, he would have harvested my password and helped himself to the money in my account, which he would have found disappointing because there’s nothing there.
Can PayPal help?
I called PayPal to find out what was happening. Had someone accessed my account? Did I need to file a report?
After a brief wait, a real PayPal representative answered all of my questions.
No one had accessed my account. It turns out any PayPal user can send another PayPal user an invoice. The genius of this scam is that they had used this legitimate tool — an invoicing system — to lure users into revealing their passwords.
And you could be next.
Why is this PayPal scam so convincing?
Here’s what makes the scam so effective.
The invoices are real
The bad guys had piggybacked on the system to make it look like an official billing notice from PayPal. Even the emails from PayPal were real.
The “support” is plausible
The bottom of the notification lists a number or tells you to go online. This is the brilliant part: If you go to your PayPal account, you’ll see the invoice. So if you want an immediate answer, you’ll call the redacted number for information — and get through to the scammer.
There are many ways to fall for it
Gullible PayPal customers like me could fall for it in any number of ways. First, I could pay the real invoice voluntarily. But then I could also discover the scam and call the fake PayPal number only to have my password stolen. How clever.
I did further research and discovered this phishing scam, also known as the PayPal invoice scam, dates back to 2020. What’s new? A few years ago, the scammers were billing for cryptocurrency. Now they were “charging” me for Walmart gift cards.
Here are the signs you’re about to fall for a PayPal invoice scam
Still, the scammers weren’t as smart as they thought. They left clues that they were up to no good.
Pay attention to grammar
When you get a “Note from Billing Department of PayPal” (no “the”) or they announce, “This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours” — well, that kind of tortured grammar can only mean one thing: You are not dealing with PayPal. English is not the first language of many of these scammers. If you read carefully, you can spot the criminals.
Listen before you speak
When you call, you’ll be connected to an automated system called IVR (Interactive Voice Response). PayPal does not answer the phone on the first ring. You have to work your way through the menu options and then wait before getting to the right person. I recommend listening before speaking up and offering your personal information. You might save yourself a lot of money.
Mind the details
A careful reading of the notice will give away the criminal nature of the invoice. It’s not addressed to me by name but to “Hello, PayPal User.” Hmm, doesn’t PayPal know who I am? And then there are little things, like the spaces between the decimal point, that give away the fact that this invoice is not legit.
How does PayPal protect you against scams?
PayPal’s offers limited protection against scams under its PayPal purchase protection guarantee.
Here’s how it might have helped me if I had paid the fraudulent invoice:
Contact us if anything seems suspicious so we can help you protect yourself from fraudulent charges against your account. We’ll never ask for sensitive information in an email.
It’s good to know PayPal will never ask for sensitive information. But this promise is short on specifics.
Let’s see what else PayPal offers.
If you report an unauthorized transaction problem within 60 days from the transaction date, we’ll investigate right away. You aren’t liable for unauthorized purchases made from your account.
That sounds reassuring. But if you click on the “View and Pay Invoice” button, you are technically making a purchase — and that would probably not be covered under PayPal’s
You’re protected if you were charged for something you didn’t purchase
This may mean someone has used your PayPal account without your knowledge or approval. Report it within 60 days and PayPal will investigate. You will be covered by our $0 Liability for Eligible Unauthorized Transactions program.
OK, so what’s included? Or maybe we should just skip straight to the exclusions:
What’s not covered with PayPal Purchase Protection
- Real estate
- Motorized vehicles
- Custom-made goods that are significantly not as described
- Industrial machinery
- Prepaid cards
- Items that violate our policies
- Anything bought in person (not over the internet)
- Send Money transactions to friends or family
- Disputes filed more than 180 days after the purchase for item not received and
- significantly not as described claims
- Unauthorized transaction claims reported more than 60 days after the transaction
- date of the transaction
- Items that were described accurately by the seller
- Donations including payments on crowdfunding platforms
Ah, there you have it. Those Walmart gift cards aren’t covered by PayPal.
What does PayPal have to say about this invoice scam?
I had a lengthy conversation about this scam with a representative.
The representative said this scam started earlier this week and that PayPal has received many calls about it from concerned customers. She said to her knowledge, no one had fallen for it yet.
The company is working with law enforcement to find these scammers and stop them from continuing to send these emails to other PayPal customers. It appeared that they had made some progress in finding the identities of the scammers.
The PayPal rep told me that I was never in any danger or having my password stolen. I would have had to install the malicious app and then log into my PayPal account for them to know my password.
Did PayPal have anything to say on the record? I asked PayPal for an official statement. I wanted to know what they were doing about the scam and how many users it had affected.
PayPal did not respond.
How do I report a PayPal invoice scam?
If you receive an email that you believe is suspicious, here’s what to do:
DO NOT click on any links in the email
Scammers embed dangerous links within the body of emails. They can lead you to a site that downloads malware or harvests your personal information.
Contact PayPal and report any suspicious transactions
Log in to your PayPal account and report any suspicious transactions immediately. The sooner you report the problem, the better your chance of resolving it.
Forward the email to PayPal’s fraud department
Send the questionable email to [email protected] That will alert the fraud department of the scam. The department promises to let you know if the email is real or fake but doesn’t give a timeline.
I changed my password and updated some information on my account just to be safe. PayPal also removed the fake invoice from my account. It appears I narrowly escaped this PayPal scam.
But many others have been hurt by similar scams.
Scammed on PayPal? Here’s how to get money back
I hear from several PayPal users every day about questionable charges on their account. They’ve lost thousands — some, tens of thousands — of dollars to these scams. None have fallen for this PayPal invoice scam yet.
If you’ve been duped by one of these emails, here are your options:
Report it to PayPal immediately
The sooner you report it, the better your chance of recovering your money. My advocacy team and I have seen PayPal reverse transactions under its guarantee. Remember, under that program, you have 60 days to report a fraudulent transaction.
Go to the authorities
File a police report. This establishes a written record that a crime happened. PayPal has an entire global investigations team and a series of “robust tools and systems” to streamline the law enforcement requests for information.
You have certain rights under Regulation E, a rule that protects Americans under the Electronic Fund Transfer Act. If that doesn’t work, you can file a complaint with the Consumer Financial Protection Bureau. PayPal is not a bank, and your deposits are not covered under the Federal Deposit Insurance Act. But it does provide financial services, over which the CFPB has regulatory authority.
Can you contact a consumer advocate if you’ve been scammed by PayPal?
We’ve received thousands of PayPal complaints here at Elliott Advocacy. They are some of the most difficult and complex cases. Often, they involve a third party and a dispute about a purchase. Sometimes, money disappears from accounts under mysterious circumstances. And occasionally, people try to scam PayPal and want to enlist our advocates to shame the company into giving them a refund.
PayPal has also told us flat-out that it won’t discuss certain cases with our team, such as when it disables accounts.
If you have a problem with PayPal, go through the complaint process on the site and appeal to regulators if it’s appropriate. Use our proven methods for resolving your dispute. Chances are, PayPal will not talk to us about your case, even if we ask politely.
What should PayPal do about this scam?
I can’t believe PayPal is giving scammers the tools to pull off this scam. But as the PayPal representative explained, any PayPal user can send another user an invoice. And apparently, those users can say whatever they want in the invoice — including adding threatening language and a bogus phone number that leads to a criminal who will try to steal your password.
How could PayPal allow this? Well, I think PayPal didn’t think it through. You’d think that a $25 billion company could at least try to stay a step ahead of the criminals. But it hasn’t.
PayPal needs to monitor its invoices more carefully. Under Regulation E, PayPal is responsible for any scammy money transfers happening on its watch, regardless of its terms and conditions.
About the art
Artist Aren Elliott had a vision of PayPal founder Elon Musk going fishing as a team-building exercise at a convention. “He looks like he’s already caught a few phish — I mean, fish,” he says.