66 comments

[ 3.0 ms ] story [ 130 ms ] thread
> It also seems like a convenience feature that PayPal should consider locking down. I immediately assumed this was some form of scam...

I don't really know how you'd prevent this or why anyone would fall for it. It's just sending an invoice. And PayPal clearly says you can safely ignore it if it's not for something you bought.

Sellers need to be able to send invoices, both for online and in-person things (like classes). And they need to be able to send them to any e-mail address, like a student who just signed up.

If you "lock it down", it doesn't work.

PayPal has dramatically improved this email since this scam started making the rounds a few months ago. Most of the safety notices weren't there originally, and they at the time allowed the seller to identify themselves as "PayPal", which made the email look a lot more legit.
> since this scam started making the rounds a few months ago.

A few months ago? I've been getting these intermittently for years.

I don't use Paypal for different reasons, but it still amazes me how popular it is as a tool for scammers. Someone on a different internet forum recently tried an unsophisticated scam impersonating an African aid worker and asking me to send money for the children. I was bored and baited them with computer generated replies. They wouldn't even take cryptocurrency, only Paypal. And it's a similar situation for other scams that are common in my city where they trick people in making bank transfers to the fraudsters account.

I don't understand how there can be so much fraud in legacy finance, and everyone simply accepts it without holding the companies responsible for not cracking down harder. Yet if it's on a public blockchain where everyone can observe the movements, it's supposed to be worse? Wonder how much more of it we'd see if bank books were public.

A few months ago was when I first saw it and it hit the tech news and PayPal finally did something about it. It wouldn't surprise me if it's been around much longer.
If a scammer is aware of a real transaction, they could spoof the amount and requester name.
At minimum they could check for sellers setting their name to “Coinbase”, or other well-known names. In theory it should also be possible to detect scam invoice messages with similar techniques to spam filters.
They could force the invoice sender to verify an email address, and then include this email address in the invoice email. This way, nobody can pose as "coinbase" -- maybe as invoice@coinbase.fakedomain.com, but not as invoice@coinbase.com.
I guess they could severely rate limit based on previously undisputed transactions. If it's a new account or an account with 5 undisputed payments over the last year, it should not be possible to send out 10.000 bills. They could also charge an increasing deposit 10 cents for the first 10 bills, 20 for the next 10 or an increasing percentage of the amount billed. They can refund it if the bill has been paid and not disputed. Should not deter any real user, but gets expensive for someone hoping for this 0.001% success rate.
What's "novel" about that?
Because it is a scam that managed to land into many people's inboxes, including mine, looked 100% genuine coming from a trusted email and a company, and it made a large enough people to be unsure what is it.
That's not what "novel" means.

> adjective: novel; new or unusual in an interesting way.

There's a more insidious version of this floating around.

https://krebsonsecurity.com/2022/08/paypal-phishing-scam-use...

I received this one myself recently. Threw me for a loop that it appeared to be a genuine email from Paypal and once I logged into Paypal (by typing in the url, I didn't click any links) I saw the invoice in my account. I knew it was a phishing attempt, but wasn't sure how to deal with it at first.
I've stumbled upon a worse version. If you don't have a business account and send someone an invoice - PayPal reverts and refunds that invoice a month later. I was completely flabbergasted when I found out they do this - there's no upfront notice or alert. In my case, the buyer was kind enough to re-pay via a regular "request", but that won't be the case for everyone.
Wait what? That doesn't sound right, maybe I'm missing something. Can you elaborate? I just sold something via invoice in December, and it wasn't reverted(yet)...
Maybe the buyer disputed the charge accidentally? I sold an item with an invoice over 6 months ago and had zero problems. I took tons of pictures of the item I was selling and documented all my correspondence in case of a dispute. Buyer sent payment, and I sent the item. Case closed.
I ordered some sports equipment from a store together with some friends so the sum was pretty high. The money was sent and the items were supposed to be delivered. The store owner was away over the weekend so didn't send the items yet. We were in contact with them personally just before they left. When they came to work on monday they were slightly confused because they got a mail from Paypal that we had disputed the invoice or some such and Paypal had refunded us the whole sum. If they wouldn't have had that vacation, they would have sent the items already and we would have gotten the products and the money back a couple of days later. This was about 8 years ago now I believe, so it's still happening. I would never use Paypal to sell anything, there is no guarantee you get to keep the money. Better keep the account empty if you do use paypal.
That should be completely wrong. PayPal goods and services through invoice protects both the seller and buyer, one of the parties would have to dispute the claim, or perhaps the automated system suspected something. Either way I've usually found PayPal support helpful with that.
Paypal only protects the buyer. It's cheaper for them that way.
I received a similar version as well asking me to pay an invoice. I contacted PayPal and they confirmed it was a scam. This was several months ago.

People have been scamming companies for a long time with fake invoices, but this is the first time I’ve seen it done at the consumer level.

The online equivalent of telling random strangers "pay me!"

I'm surprised that it works at all.

The scam isn't trying to get you to pay the invoice, it's trying to get you to call the number. My dad nearly fell for this scam last August, and when he called the number someone posing as PayPal customer support told him he had a virus and they needed remote access to his computer to clean it. He wised up and told them no, but presumably they would have installed spyware or ransomware once given access.
> (poor punctuation on the “seller note” aside)

If the author is referring to that title "seller note to customer" -- I think that is PayPal's standard email template and nothing to do with the scammer.

They might be referring to the extra spacing around the punctuation in “$479. 00” and “transaction, please”.

“Dear Customer, You” is also incorrect. The standard correction would be to add a newline after the comma (which presumably the scammer was unable to do), making it a spacing or perhaps capitalization error. But another valid fix would be to replace the comma with a colon, so you could argue it’s a punctuation error…

I've always heard this is intentional with scammers. Their goal is to get you to call the number, so they have a cost if the user responds. Having some errors filters out the less gullible, who won't fall for the scam and will just cost the call center money.
Got one of these from “Coinbase Corporation.”

Reported it to their security/phishing inbound.

I received the same and the invoice came from an individual named “Shin Deryl”

They couldn’t have chosen a worse scam. The email included Paypal’s anti-phishing footer (including a warning that official emails from PayPal include the customer’s full name) and the invoice was for Bitcoin.

The email was addressed “Dear Customer” and I’d rather douse myself in napalm and run into a bonfire than buy cryptocoins.

As noted by a couple people in this thread, the anti-phishing footer is new. PayPal presumably added it in response to this scam.
> and I’d rather douse myself in napalm and run into a bonfire than buy cryptocoins.

A good environmentalist choice! Napalm and flesh produce far less carbon dioxide than a transaction to buy cryptocoins.

I got one of those emails today. Obviously phishing. I called Paypal to confirm and also forwarded it to phishing@paypal.com.

Don't click on random links and don't call random phone numbers.

What's the risk of calling random phone numbers?
If they know your number or if you say who you are or if they gave you a unique callback number it confirms that they reached you and they can step up the scam.
Also, you are giving a potentially very savvy and capable con man a shot.
Common scam is getting called by a expensive call number, where they immediately cancel the call. When you call back, they keep you on the line for a minute or two with bullshit, charging you 10$/minute.
I received the exact same email (exact amount, coinbase, all checks passed) and forwarded to PayPal's phishing address (after having done my own due diligence) despite being surprised that this appeared so legit. Glad to see I wasn't in the wrong.. But something like that with a target other than crypto could have been devastating for non-tech people.
I've had this with another company, Intuit I believe. Someone used it to issue an invoice to me disguised as a bill from Intuit itself. It took me a solid 10 minutes of investigating before finally realizing what it was. Closest I've ever been to being duped!
Not so novel. I have been getting around two emails a month for the past three months.
This "novel" "scam" has been around since 2000 when Request Money was launched.
People have been sending paper invoices to the overworked accounting departments of companies for a very long time. (Or the slightly more sophisticated "office supply" scam where they send unsolicited some low grade office supplies with a very large invoice which has been going around since the 1970s).
Ah, the good old days of phone calls telling you that they were checking in, and were going to send over the "usual order", just needed a quick ok.

Similarly when I used to own a liquor store and the distributors would come in at the busiest times and say, "Oh, you're busy. Don't worry, I'll check your inventory for you, and you just have to sign off." Sign off, that is, on a huge list of stuff you don't need.

The scammer here doesn't seriously expect anyone to pay up—they expect people to call the phone number they include in the message so they can move on to phase 2 of the scam (whatever that is).

The PayPal invoice form is just a sufficiently scary-looking template to trigger a reaction in someone who might fall for a phone call with the "Coinbase Billing Department". The amount on the invoice is too high for people to accidentally pay but too low to immediately clue the victim in that it's fake.

The solution here is PayPal ensuring that seller notes aren't misguiding. I wondered why PayPal hasn't blocked senders from mentioning "PayPal" or even "PayPal®" as mentioned in the seller note. A justification might be that sellers do legitimately mention PayPal in the note without trying to impersonate.

It seems that an AI based filter might help? Why not ask the new kid around the block ChatGPT.

  > "Dear Customer, You sent a payment of $429.00 USD to Coinbase Corporation. If you did not make this payment or to cancel this transaction, please call our Help Desk number +1 XXX Cancellation after 24 Hours from this email won't be valid for a refund. Have a great day! PayPal Help Desk +1 XXX"

  Who is the author of this message

  ChatGPT> The author of this message is the PayPal Help Desk.
Maybe it is a bit too easy with the signature in place. Scammers might get smarter so I skipped the signature bit. The response was interesting.

  > "Dear Customer, You sent a payment of $429.00 USD to Coinbase Corporation. If you did not make this payment or to cancel this transaction, please call our Help Desk number +1 123 Cancellation after 24 Hours from this email won't be valid for a refund. Have a great day!"

  who is the author of this message

  ChatGPT> The author of this message is likely a representative of a financial institution or payment provider, such as a bank or payment service like PayPal.
On a simpler note, I think it would help PayPal to mention right below the seller note that this message is authored by the seller and NOT PayPal.
I think the biggest problem here is that the scammer has a way to include a message in the email.

I've discovered that if you offer any type of service that allows sending free text messages to other people, it will be abused by spammers or scammers.

For a variation of this problem, I once programmed a sign-up form that sent a confirmation email like "Hello name, please confirm your email...". As soon as spammers found it, they used it to send millions of emails by signing up and putting their spam message in the name field.

It doesn't matter how much info you put in the email around it (like a footer warning about spam). If the email contains any text that can be provided by the attacker, it will be abused.

Paypal should probably not include the seller note in the email, and show the invoice to the user only after asking if they are expecting an invoice.

Maybe limit the name length (client and server side) to 20 chars or so.
A shortened URL would fit into 20 chars (while some names don't) and I see this being widely abuse. One also would need a regexp to not allow things like URLs and phone numbers (but allow names in any language).
But be careful, this is one of of falsehoods programmers believe about names [1]. My name needs 16 characters, so 20 as a limit bothers me personally.

For this example I'd suggest allowing long names. No one wants to have a computer say "your name is not valid". However, if the goal of personalized email is to be friendly, or some other non-functional reason, consider only including the name in the email if its "short" enough. That seems like a graceful degradation that would limit spam.

Edit: or to address the URL/phone number concern, allow the user to pick that as their name, but not include it in the email.

[1] https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-...

It's only a falsehood if you expect it to hold everyone's full name. No need to call any names invalid just to ask for something shorter.
20 characters is not nearly enough for Hubert Wolfeschlegelsteinhausenbergerdorffwelchevoralternwarengewissenhaftschaferswessenschafewarenwohlgepflegeundsorgfaltigkeitbeschutzenvonangreifendurchihrraubgierigfeindewelchevoralternzwolftausendjahresvorandieerscheinenvanderersteerdemenschderraumschiffgebrauchlichtalsseinursprungvonkraftgestartseinlangefahrthinzwischensternartigraumaufdersuchenachdiesternwelchegehabtbewohnbarplanetenkreisedrehensichundwohinderneurassevonverstandigmenschlichkeitkonntefortpflanzenundsicherfreuenanlebenslanglichfreudeundruhemitnichteinfurchtvorangreifenvonandererintelligentgeschopfsvonhinzwischensternartigraum's name.
A good chunk of the internet runs on varchar(255) name fields... Hubert's life is going to be rough out there.
It's surprising so many families (well, family names) survived the punch card days, when name fields were necessarily limited to something like 20 to 40 characters.
About 6 months ago, I got a very short invoice for $500 from "Patricia Snook". I can't even remember if there was a message. Actually was reminded about this a week ago, when Paypal sent me a message that "Ms. Snook" had cancelled the invoice.
I have received almost the exact same message, but not from Coinbase. I’ve never fallen for a scam, but I fell for this one. I was in a rush at work read the message, called the phone number and realized with all the background chatter it was a scam call center and hung up. I was so shocked I had fallen for it, I wrote my family a summary laughing at myself that even a tech guy who watches YouTube scam revenge videos can get fooled.
You hung up and they got nothing out of you. I don't think that quite counts as falling for it.
Sure, but it certainly counts as a close call, and if you are serious about preventing failures, you should be alerting on and tracking close calls, not only actual failures.

E.g., factories used to have big signs about "XX Days Since A Time Lost Accident". I've seen more advance factories now posting "XX Days Since A Close Call". Important distinction because studying the close calls and taking action will prevent accidents better than waiting for an actual accident. Same for security failures.

(comment deleted)
>Inspecting the source, the email looked like it actually came from PayPal (SPF, DKIM, and DMARC all passed).

Through an email server controlled by Paypal, in particular. DMARC is not intended to be some sort of replacement for an email signature. It means something different. This is a good example of that.

This was just a regular anonymous unsigned email...