> It also seems like a convenience feature that PayPal should consider locking down. I immediately assumed this was some form of scam...
I don't really know how you'd prevent this or why anyone would fall for it. It's just sending an invoice. And PayPal clearly says you can safely ignore it if it's not for something you bought.
Sellers need to be able to send invoices, both for online and in-person things (like classes). And they need to be able to send them to any e-mail address, like a student who just signed up.
PayPal has dramatically improved this email since this scam started making the rounds a few months ago. Most of the safety notices weren't there originally, and they at the time allowed the seller to identify themselves as "PayPal", which made the email look a lot more legit.
I don't use Paypal for different reasons, but it still amazes me how popular it is as a tool for scammers. Someone on a different internet forum recently tried an unsophisticated scam impersonating an African aid worker and asking me to send money for the children. I was bored and baited them with computer generated replies. They wouldn't even take cryptocurrency, only Paypal. And it's a similar situation for other scams that are common in my city where they trick people in making bank transfers to the fraudsters account.
I don't understand how there can be so much fraud in legacy finance, and everyone simply accepts it without holding the companies responsible for not cracking down harder. Yet if it's on a public blockchain where everyone can observe the movements, it's supposed to be worse? Wonder how much more of it we'd see if bank books were public.
A few months ago was when I first saw it and it hit the tech news and PayPal finally did something about it. It wouldn't surprise me if it's been around much longer.
At minimum they could check for sellers setting their name to “Coinbase”, or other well-known names. In theory it should also be possible to detect scam invoice messages with similar techniques to spam filters.
They could force the invoice sender to verify an email address, and then include this email address in the invoice email. This way, nobody can pose as "coinbase" -- maybe as invoice@coinbase.fakedomain.com, but not as invoice@coinbase.com.
I guess they could severely rate limit based on previously undisputed transactions. If it's a new account or an account with 5 undisputed payments over the last year, it should not be possible to send out 10.000 bills. They could also charge an increasing deposit 10 cents for the first 10 bills, 20 for the next 10 or an increasing percentage of the amount billed. They can refund it if the bill has been paid and not disputed. Should not deter any real user, but gets expensive for someone hoping for this 0.001% success rate.
Imposing an up-front cost seems like a reasonable option.
> PayPal Invoicing has no set up or monthly fees. When a customer pays you online, you’re charged a fee based on the amount of the purchase. Fees vary by country or region.
Because it is a scam that managed to land into many people's inboxes, including mine, looked 100% genuine coming from a trusted email and a company, and it made a large enough people to be unsure what is it.
I received this one myself recently. Threw me for a loop that it appeared to be a genuine email from Paypal and once I logged into Paypal (by typing in the url, I didn't click any links) I saw the invoice in my account. I knew it was a phishing attempt, but wasn't sure how to deal with it at first.
I've stumbled upon a worse version. If you don't have a business account and send someone an invoice - PayPal reverts and refunds that invoice a month later. I was completely flabbergasted when I found out they do this - there's no upfront notice or alert. In my case, the buyer was kind enough to re-pay via a regular "request", but that won't be the case for everyone.
Wait what? That doesn't sound right, maybe I'm missing something. Can you elaborate? I just sold something via invoice in December, and it wasn't reverted(yet)...
Maybe the buyer disputed the charge accidentally? I sold an item with an invoice over 6 months ago and had zero problems. I took tons of pictures of the item I was selling and documented all my correspondence in case of a dispute. Buyer sent payment, and I sent the item. Case closed.
I ordered some sports equipment from a store together with some friends so the sum was pretty high. The money was sent and the items were supposed to be delivered. The store owner was away over the weekend so didn't send the items yet. We were in contact with them personally just before they left. When they came to work on monday they were slightly confused because they got a mail from Paypal that we had disputed the invoice or some such and Paypal had refunded us the whole sum. If they wouldn't have had that vacation, they would have sent the items already and we would have gotten the products and the money back a couple of days later. This was about 8 years ago now I believe, so it's still happening. I would never use Paypal to sell anything, there is no guarantee you get to keep the money. Better keep the account empty if you do use paypal.
That should be completely wrong. PayPal goods and services through invoice protects both the seller and buyer, one of the parties would have to dispute the claim, or perhaps the automated system suspected something. Either way I've usually found PayPal support helpful with that.
The scam isn't trying to get you to pay the invoice, it's trying to get you to call the number. My dad nearly fell for this scam last August, and when he called the number someone posing as PayPal customer support told him he had a virus and they needed remote access to his computer to clean it. He wised up and told them no, but presumably they would have installed spyware or ransomware once given access.
If the author is referring to that title "seller note to customer" -- I think that is PayPal's standard email template and nothing to do with the scammer.
They might be referring to the extra spacing around the punctuation in “$479. 00” and “transaction, please”.
“Dear Customer, You” is also incorrect. The standard correction would be to add a newline after the comma (which presumably the scammer was unable to do), making it a spacing or perhaps capitalization error. But another valid fix would be to replace the comma with a colon, so you could argue it’s a punctuation error…
I've always heard this is intentional with scammers. Their goal is to get you to call the number, so they have a cost if the user responds. Having some errors filters out the less gullible, who won't fall for the scam and will just cost the call center money.
Microsoft Research wrote an interesting post on it [1].
Their conclusion was similar: "By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor."
I received the same and the invoice came from an individual named “Shin Deryl”
They couldn’t have chosen a worse scam. The email included Paypal’s anti-phishing footer (including a warning that official emails from PayPal include the customer’s full name) and the invoice was for Bitcoin.
The email was addressed “Dear Customer” and I’d rather douse myself in napalm and run into a bonfire than buy cryptocoins.
If they know your number or if you say who you are or if they gave you a unique callback number it confirms that they reached you and they can step up the scam.
Common scam is getting called by a expensive call number, where they immediately cancel the call. When you call back, they keep you on the line for a minute or two with bullshit, charging you 10$/minute.
I received the exact same email (exact amount, coinbase, all checks passed) and forwarded to PayPal's phishing address (after having done my own due diligence) despite being surprised that this appeared so legit. Glad to see I wasn't in the wrong.. But something like that with a target other than crypto could have been devastating for non-tech people.
I've had this with another company, Intuit I believe. Someone used it to issue an invoice to me disguised as a bill from Intuit itself. It took me a solid 10 minutes of investigating before finally realizing what it was. Closest I've ever been to being duped!
People have been sending paper invoices to the overworked accounting departments of companies for a very long time. (Or the slightly more sophisticated "office supply" scam where they send unsolicited some low grade office supplies with a very large invoice which has been going around since the 1970s).
Ah, the good old days of phone calls telling you that they were checking in, and were going to send over the "usual order", just needed a quick ok.
Similarly when I used to own a liquor store and the distributors would come in at the busiest times and say, "Oh, you're busy. Don't worry, I'll check your inventory for you, and you just have to sign off." Sign off, that is, on a huge list of stuff you don't need.
The scammer here doesn't seriously expect anyone to pay up—they expect people to call the phone number they include in the message so they can move on to phase 2 of the scam (whatever that is).
The PayPal invoice form is just a sufficiently scary-looking template to trigger a reaction in someone who might fall for a phone call with the "Coinbase Billing Department". The amount on the invoice is too high for people to accidentally pay but too low to immediately clue the victim in that it's fake.
The solution here is PayPal ensuring that seller notes aren't misguiding. I wondered why PayPal hasn't blocked senders from mentioning "PayPal" or even "PayPal®" as mentioned in the seller note. A justification might be that sellers do legitimately mention PayPal in the note without trying to impersonate.
It seems that an AI based filter might help? Why not ask the new kid around the block ChatGPT.
> "Dear Customer, You sent a payment of $429.00 USD to Coinbase Corporation. If you did not make this payment or to cancel this transaction, please call our Help Desk number +1 XXX Cancellation after 24 Hours from this email won't be valid for a refund. Have a great day! PayPal Help Desk +1 XXX"
Who is the author of this message
ChatGPT> The author of this message is the PayPal Help Desk.
Maybe it is a bit too easy with the signature in place. Scammers might get smarter so I skipped the signature bit. The response was interesting.
> "Dear Customer, You sent a payment of $429.00 USD to Coinbase Corporation. If you did not make this payment or to cancel this transaction, please call our Help Desk number +1 123 Cancellation after 24 Hours from this email won't be valid for a refund. Have a great day!"
who is the author of this message
ChatGPT> The author of this message is likely a representative of a financial institution or payment provider, such as a bank or payment service like PayPal.
On a simpler note, I think it would help PayPal to mention right below the seller note that this message is authored by the seller and NOT PayPal.
I think the biggest problem here is that the scammer has a way to include a message in the email.
I've discovered that if you offer any type of service that allows sending free text messages to other people, it will be abused by spammers or scammers.
For a variation of this problem, I once programmed a sign-up form that sent a confirmation email like "Hello name, please confirm your email...". As soon as spammers found it, they used it to send millions of emails by signing up and putting their spam message in the name field.
It doesn't matter how much info you put in the email around it (like a footer warning about spam). If the email contains any text that can be provided by the attacker, it will be abused.
Paypal should probably not include the seller note in the email, and show the invoice to the user only after asking if they are expecting an invoice.
A shortened URL would fit into 20 chars (while some names don't) and I see this being widely abuse. One also would need a regexp to not allow things like URLs and phone numbers (but allow names in any language).
But be careful, this is one of of falsehoods programmers believe about names [1]. My name needs 16 characters, so 20 as a limit bothers me personally.
For this example I'd suggest allowing long names. No one wants to have a computer say "your name is not valid". However, if the goal of personalized email is to be friendly, or some other non-functional reason, consider only including the name in the email if its "short" enough. That seems like a graceful degradation that would limit spam.
Edit: or to address the URL/phone number concern, allow the user to pick that as their name, but not include it in the email.
20 characters is not nearly enough for Hubert Wolfeschlegelsteinhausenbergerdorffwelchevoralternwarengewissenhaftschaferswessenschafewarenwohlgepflegeundsorgfaltigkeitbeschutzenvonangreifendurchihrraubgierigfeindewelchevoralternzwolftausendjahresvorandieerscheinenvanderersteerdemenschderraumschiffgebrauchlichtalsseinursprungvonkraftgestartseinlangefahrthinzwischensternartigraumaufdersuchenachdiesternwelchegehabtbewohnbarplanetenkreisedrehensichundwohinderneurassevonverstandigmenschlichkeitkonntefortpflanzenundsicherfreuenanlebenslanglichfreudeundruhemitnichteinfurchtvorangreifenvonandererintelligentgeschopfsvonhinzwischensternartigraum's name.
It's surprising so many families (well, family names) survived the punch card days, when name fields were necessarily limited to something like 20 to 40 characters.
About 6 months ago, I got a very short invoice for $500 from "Patricia Snook". I can't even remember if there was a message. Actually was reminded about this a week ago, when Paypal sent me a message that "Ms. Snook" had cancelled the invoice.
FYI they are also using Google Forms to send these now. Which is pretty smart as the email comes from Google itself, probably bypassing all spam filters!
I have received almost the exact same message, but not from Coinbase. I’ve never fallen for a scam, but I fell for this one. I was in a rush at work read the message, called the phone number and realized with all the background chatter it was a scam call center and hung up. I was so shocked I had fallen for it, I wrote my family a summary laughing at myself that even a tech guy who watches YouTube scam revenge videos can get fooled.
Sure, but it certainly counts as a close call, and if you are serious about preventing failures, you should be alerting on and tracking close calls, not only actual failures.
E.g., factories used to have big signs about "XX Days Since A Time Lost Accident". I've seen more advance factories now posting "XX Days Since A Close Call". Important distinction because studying the close calls and taking action will prevent accidents better than waiting for an actual accident. Same for security failures.
>Inspecting the source, the email looked like it actually came from PayPal (SPF, DKIM, and DMARC all passed).
Through an email server controlled by Paypal, in particular. DMARC is not intended to be some sort of replacement for an email signature. It means something different. This is a good example of that.
This was just a regular anonymous unsigned email...
66 comments
[ 3.0 ms ] story [ 130 ms ] threadI don't really know how you'd prevent this or why anyone would fall for it. It's just sending an invoice. And PayPal clearly says you can safely ignore it if it's not for something you bought.
Sellers need to be able to send invoices, both for online and in-person things (like classes). And they need to be able to send them to any e-mail address, like a student who just signed up.
If you "lock it down", it doesn't work.
A few months ago? I've been getting these intermittently for years.
I don't understand how there can be so much fraud in legacy finance, and everyone simply accepts it without holding the companies responsible for not cracking down harder. Yet if it's on a public blockchain where everyone can observe the movements, it's supposed to be worse? Wonder how much more of it we'd see if bank books were public.
> PayPal Invoicing has no set up or monthly fees. When a customer pays you online, you’re charged a fee based on the amount of the purchase. Fees vary by country or region.
[1]: https://www.paypal.com/us/cshelp/article/how-much-does-it-co...
> adjective: novel; new or unusual in an interesting way.
https://krebsonsecurity.com/2022/08/paypal-phishing-scam-use...
People have been scamming companies for a long time with fake invoices, but this is the first time I’ve seen it done at the consumer level.
I'm surprised that it works at all.
Previous discussion: https://news.ycombinator.com/item?id=32511086
If the author is referring to that title "seller note to customer" -- I think that is PayPal's standard email template and nothing to do with the scammer.
“Dear Customer, You” is also incorrect. The standard correction would be to add a newline after the comma (which presumably the scammer was unable to do), making it a spacing or perhaps capitalization error. But another valid fix would be to replace the comma with a colon, so you could argue it’s a punctuation error…
Their conclusion was similar: "By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor."
[1] https://www.microsoft.com/en-us/research/publication/why-do-...
Reported it to their security/phishing inbound.
They couldn’t have chosen a worse scam. The email included Paypal’s anti-phishing footer (including a warning that official emails from PayPal include the customer’s full name) and the invoice was for Bitcoin.
The email was addressed “Dear Customer” and I’d rather douse myself in napalm and run into a bonfire than buy cryptocoins.
A good environmentalist choice! Napalm and flesh produce far less carbon dioxide than a transaction to buy cryptocoins.
Don't click on random links and don't call random phone numbers.
Similarly when I used to own a liquor store and the distributors would come in at the busiest times and say, "Oh, you're busy. Don't worry, I'll check your inventory for you, and you just have to sign off." Sign off, that is, on a huge list of stuff you don't need.
The PayPal invoice form is just a sufficiently scary-looking template to trigger a reaction in someone who might fall for a phone call with the "Coinbase Billing Department". The amount on the invoice is too high for people to accidentally pay but too low to immediately clue the victim in that it's fake.
It seems that an AI based filter might help? Why not ask the new kid around the block ChatGPT.
Maybe it is a bit too easy with the signature in place. Scammers might get smarter so I skipped the signature bit. The response was interesting. On a simpler note, I think it would help PayPal to mention right below the seller note that this message is authored by the seller and NOT PayPal.I've discovered that if you offer any type of service that allows sending free text messages to other people, it will be abused by spammers or scammers.
For a variation of this problem, I once programmed a sign-up form that sent a confirmation email like "Hello name, please confirm your email...". As soon as spammers found it, they used it to send millions of emails by signing up and putting their spam message in the name field.
It doesn't matter how much info you put in the email around it (like a footer warning about spam). If the email contains any text that can be provided by the attacker, it will be abused.
Paypal should probably not include the seller note in the email, and show the invoice to the user only after asking if they are expecting an invoice.
For this example I'd suggest allowing long names. No one wants to have a computer say "your name is not valid". However, if the goal of personalized email is to be friendly, or some other non-functional reason, consider only including the name in the email if its "short" enough. That seems like a graceful degradation that would limit spam.
Edit: or to address the URL/phone number concern, allow the user to pick that as their name, but not include it in the email.
[1] https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-...
E.g., factories used to have big signs about "XX Days Since A Time Lost Accident". I've seen more advance factories now posting "XX Days Since A Close Call". Important distinction because studying the close calls and taking action will prevent accidents better than waiting for an actual accident. Same for security failures.
Through an email server controlled by Paypal, in particular. DMARC is not intended to be some sort of replacement for an email signature. It means something different. This is a good example of that.
This was just a regular anonymous unsigned email...