November 27, 2022
Given that we’re getting into peak retail season, you’ll find cybersecurity warnings with a “Black Friday” theme all over the internet… …including, of course, right here on Naked Security! As regular readers will know, however, we’re not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter days a year.…

Given that we’re getting into peak retail season, you’ll find cybersecurity warnings with a “Black Friday” theme all over the internet…

…including, of course, right here on Naked Security!

As regular readers will know, however, we’re not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter days a year.

Don’t take cybersecurity seriously only when it’s Thanksgiving, Hannukah, Kwanzaa, Christmas or any other gift-giving holiday, or only for the New Year Sales, the Spring Sales, the Summer sales or any other seasonal discount opportunity.

As we said when retail season kicked off earlier this month in many parts of the world:

The best reason for improving your cybersecurity in the leadup to Black Friday is that it means you will be improving your cybersecurity for the rest of the year, and will encourage you to keep on improving through 2023 and beyond.

Having said that, this article is about a PayPal-branded scam that was reported to us earlier this week by a regular reader who thought it would be worth warning others about, especially for those with PayPal accounts who may be more inclined to use them at this time of year than any other.

The good thing about this scam is that you should spot it for what it is: made-up nonsense.

The bad thing about this scam is that it’s astonishingly easy for criminals to set up, and it carefully avoids sending spoofed emails or tricking you to visit bogus websites, because the crooks use a PayPal service to generate their initial contact via official PayPal servers.

Here goes.

Spoofing explained

A spoofed email is one that insists it’s from a well-known company or domain, typically by putting a believable email address in the From: line, and by including logos, taglines or other contact details copied from the brand it’s trying to impersonate.

Remember that the name and email address shown in an email next to the word From are actually just part of the message itself, so the sender can put almost anything they like in there, regardless of where they really sent the message from.

A spoofed website is one that copies the look and feel of the real thing, often simply by ripping off the exact web content and images from the original site to make it look as pixel-perfect as possible.

Scam sites may also try to make the domain name that you see in the address bar look at least vaguely realistic, for example by putting the spoofed brand at the left-hand end of the web address, so that you might see something like paypal.com.bogus.example, in the hope that you won’t check the right-hand end of the name, which actually determines who owns the site.

Other scammers try to acquire lookalike names, for example by replacing W (one W-for-Whisky character) with VV (two V-for Victor characters), or by using I (writing an upper case I-for-India character) in place of l (a lower case L-for-Lima).

But spoofing tricks of this sort can often be spotted fairly easily, for example by:

  • Learning how to examine the so-called headers of an email message, which shows which server a message actually came from, rather than the server that the sender claimed they sent it from.
  • Setting up an email filter that automatically scans for scamminess in both the headers and the body of every email message that anyone tries to send you.
  • Browsing via a network or endpoint firewall that blocks outbound web requests to fake sites and discards inbound web replies that include risky content.
  • Using a password manager that ties usernames and passwords to specific websites, and thus can’t be fooled by fake content or lookalike names.

Email scammers therefore often go out of their way to ensure that their first contact with potential victims involves messages that really do come from genuine sites or online services, and that link to servers that really are run by those same legitimate sites…

…as long as the scammers can come up with some way of maintaining contact after that initial message, in order to keep the scam going.

Romance scammers, who try to lure victims into fake online relationships in order to sweet-talk them out of money, know this trick only too well. They typically start by making contact in a conventional way on a genuine dating site, using someone else’s photos and online identity. There, they charm their victims into leaving the comparative safety of the legitimate site and switching to an unsupervised one-to-one instant messaging service.

The “money request” scam

Here’s how the PayPal “money request” scam works:

  • The scammer creates a PayPal account and uses PayPal’s “money request” service to send you an official PayPal email asking you to send them some funds. Friends can use this service as an informal but relatively safe way of splitting expenses after a night out, asking for help paying a bill, or even to get paid for small tasks such as cleaning, gardening, pet sitting, and so on.
  • The scammer makes the request look like an existing charge for a genuine product or service, though not one you actually ordered, and probably for what looks like an unlikely or unreasonable price.
  • The scammer adds a contact phone number into the message, apparently offering an easy way to cancel the payment request if you think it’s scam.

So the email actually does originate from PayPal, giving it an air of authenticity, et entices you to react by phoning the crooks back, rather than by replying to the email itself.

Like this:

In this example, the product you’re supposed to have purchased is the name of a genuine consumer anti-virus program, with the number 365 tacked on the end to give it the look of an online-only cloud-based product.

Given that you are quite well aware that the payment request was never authorised by you, you may well report it to PayPal…

…but it’s also tempting to phone the “business” that put through the request to tell them not to hit you up again next week or next month when their “records” show that the “bill” still hasn’t been paid.

After all, the phone call’s free (in the UK, as in many other countries, the -800- dialling code denotes a toll-free call), and if someone you know really has tried to buy some online cybersecurity software and charge it to your dime, why not try to get to the bottom of it and stop the “payment” getting through?

Of course, it’s all a pack of lies: there’s no anti-virus program; there was no purchase; and no one actually paid out £550 to anyone for anything.

The crooks have simply found a way to abuse PayPal’s free Money Request service to generate emails that really do come from PayPal, that include real PayPal links, and that use the message field in the request to give you an official-looking way to contact them directly…

…just like a romance scammer schmoozing you at arm’s length on a dating site, and then convincing you to switch over to messaging them directly, where the dating platform can no longer supervise or regulate your interactions.

What to do?

The quickest and easiest thing to do, of course, is nothing!

PayPal money requests are exactly what they say: a way for friends, family, someone, anyone, to invite you to send them money in a reasonably secure way.

They aren’t invoices; they aren’t payment demands; they’re not receipts; and they are unrelated to any existing purchase you did or didn’t make via PayPal or anywhere else.

If simply you do nothing, then nothing gets paid out and no one receives anything, so the scam fails.

We nevertheless recommend that you report bogus requests of this sort to PayPal, which will help to get the offending account closed down and to ensure that no one else either pays up through fear or calls the given phone number “just in case”.

Whatever you do, don’t send any money, and definitely don’t call the criminals back, because their true goal is to establish direct contact so they can start working you over to you to trick you into revealing personal information that could ultimately cost you a lot more than £549.67.

Shoild you tell the authorities?

Whether it’s during Black Friday season or at any other time of the year, we urge you to consider reporting scams of this sort to the relevant regulator or investigatory body in your country.

It might not feel as though you’re doing much to help, and you probably don’t have the time to report each and every one, but if sufficiently many people do provide some evidence to the authorities, there is a least a chance that they will do something about it.

On the other hand, if no one says anything, then nothing will or can be done.

Below, we’ve listed scam reporting links for various Anglophone countries:

AU: Scamwatch (Australian Competition and Consumer Commission) https://www.scamwatch.gov.au/about-scamwatch/contact-us CA: Canadian Anti-Fraud Centre https://antifraudcentre-centreantifraude.ca/index-eng.htm NZ: Consumer Protection (Ministry of Business, Innovation and Employment) https://www.consumerprotection.govt.nz/general-help/scamwatch/scammed-take-action/ UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre) https://www.actionfraud.police.uk/ US: ReportFraud.ftc.gov (Federal Trade Commission) https://reportfraud.ftc.gov/ ZA: Financial Intelligence Centre https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx
Source