PayPal attacked days after OpenAI deal

PayPal, an American Fintech company, has come under a fake invoice alert attack by cybercriminals. This comes days after PayPal sealed a partnership with OpenAI to expand payments and commerce directly within the ChatGPT platform by 2026.

According to a Forbes report, which cited an alert received from security experts at KnowBe4, it noted that cybercriminals were using a variation of what is known as a TOAD attack to target PayPal users with fake invoices.

In the fraudulent activity, perpetrators send an invoice or money request through a PayPal email, a dummy email. The security agency added that the invoice contains products/services that users never ordered, which is a red flag and something users can use to stay alert.

“You receive an email from a real PayPal email address which contains an invoice for a large purchase you did not make, and a phone number for you to call if you want to dispute the charge,” security analysts at KnowBe4 warned.

Invoice Scam flagged by PayPal — Invoice Scam

A Telephone-Oriented Attack Delivery (TOAD) threat usually contains a PDF invoice or other seemingly official document, along with messaging that uses urgency and fear of financial loss to persuade victims to call an adversary-controlled phone number. Reports cited that the attack has been on for a week now.

Interestingly, KnowBe4 pointed out that what made this attack more concerning is that the attackers were sending the invoices from a genuine PayPal account email. While the email is real, the invoice is a scam orchestrated by cybercriminals who are only after credit card details.

“The email you receive is real, but the invoice is not, and if you call the phone number in the email, you will not be connected to PayPal’s support team, but rather a fraudster after anything from your credit card details, PayPal account credentials or just a good old-fashioned cash payment,” it said.

Providing more explanation, it noted that on opening the email body, it was blank, with only the invoice attachment. Experts cited this as another red flag because PayPal would never send an invoice or any communication of such.

By opening the attachment, it would follow the standard TOAD process of: “Your account has been billed $823.00. The payment will be processed in the next 24 hours. Didn’t make this purchase? Contact PayPal Support right now.”

Paypal selects 26 Country-trading blocs as its launchpad for crypto service expansion

Also Read: 5 ways Nigerians can benefit from PayPal’s new ChatGPT wallet.

An employee of a security vendor, Pieter Arntz, a malware intelligence researcher at Malwarebytes, who received the mail, said it seems it was sent out in bulk.

According to him, some of the emails were not sent from a PayPal address at all, but a random Gmail account instead, and that’s another red flag nobody should ignore. Another is that the email went out to a BCC list, a blind carbon copy or to hundreds of others at the same time.

Notably, he pointed out that PayPal would never send an invoice in such a manner.

PayPal’s response

The development reveals the height at which fraudsters perpetrate and try to scam innocent users by using various strategies.

Earlier in the week, PayPal issued a “Do not pay, Do not Phone” warning to the general public in response to the ongoing attack. It noted that anyone receiving an unexpected or suspicious invoice or payment request, whether it appears to be from PayPal or another service, should not pay it or respond to it.

The company also said it is responding to the continual evolution of scamming tactics and methods, taking all the necessary steps to protect customers. Measures such as manual investigations and technology to prevent fraud, and proactive actions such as limiting scam accounts and declining risky transactions.

“We do not tolerate fraudulent activity on our platform, and our teams work tirelessly to protect our customers. We are aware of this phishing scam and encourage people to always be vigilant online and mindful of unexpected messages,” it said.

The company urged customers to report any unwarranted invoices or money requests by logging into their account via the web or the app.

To report a suspicious email or website, users can forward it to [email protected]. After sending the email, users are advised to delete it from their inboxes.

How to be careful: Tip from PayPal

In a move to protect customers, the fintech company rolled out tips for users to stay alert and not fall victim. The company noted that invoice and money request scams can happen in numerous ways:

Receiving an invoice or money request through PayPal, but for a product/service never ordered.
Receiving an invoice or money request through PayPal containing an alarmist note. The note may ask users to call their fake customer service number in the hope that they can obtain their personal/financial details over the phone.
Receiving a fake invoice or money request by email, designed to look like a real PayPal email. Users are advised to never click any links or call any phone numbers in a suspicious email.

For a recap, when you receive a suspicious invoice or money request, don’t pay it. Don’t call any phone numbers in the invoice note or open suspicious URLs. Also, never send money to a cryptocurrency wallet mentioned in an invoice or money request.

Source: Technext24