Don’t pay that suspicious PayPal invoice — it’s a phishing scam

PayPal logo on a smartphone against a blurred background
(Image credit: Shutterstock)

In order for a phishing campaign to be successful, the cybercriminals behind it first need to ensure that their lures can reach potential victims, which is why they’ve recently turned to PayPal to send out fake invoices.

According to a new report from the Checkpoint-owned cybersecurity firm Avanan, cybercriminals are now using the legitimacy of PayPal to reach the inboxes of unsuspecting users.

Beginning in June of this year, the firm’s security researchers first observed this new technique which utilizes PayPal to send out malicious invoices and request payments. The cybercriminals behind this new campaign use free PayPal accounts to send emails from the company’s domain while spoofing the popular antivirus software brand Norton.

After creating an account, the cybercriminals use PayPal’s features to create fake invoices in which they edit the business name and fake phone numbers to make them appear more legitimate. 

These fake invoices also include a message that reads: “Thank you for purchasing Norton Security Premium plan, if you have not authorized this transaction please call us with your credit card details.” 

Unsuspecting users, who don’t remember signing up for Norton’s antivirus software, may call the number and provide their credit card details to avoid being changed. However, in doing so, they willingly give the attackers their phone number and payment information which can be used in future attacks.

The Static Expressway

This isn’t the first time that Avanan has observed cybercriminals abusing legitimate services in their attacks. In fact, just last month, it released a report detailing how QuickBooks was used to carry out a very similar type of attack.

As both QuickBooks and PayPal are on the Allow Lists of the best email services, emails sent from either service pass right through to reach a user’s inbox. Avanan calls this The Static Expressway and it refers to the practice of cybercriminals utilizing websites that are on static Allow Lists to ensure their phishing emails reach users’ inboxes.

In this case, Avanan notified PayPal of this new attack on July 19 and the company plans on updating its report with additional information once they hear back from the payments giant.

Fish hook on a keyboard

(Image credit: Shutterstock)

How to avoid falling victim to this and other phishing scams

In order to avoid this phishing scam, users first need to monitor their inboxes and PayPal accounts for fake invoices. If you receive an invoice for a product or service you don’t remember purchasing, you should check your PayPal account first to see if you may have ordered something and forgotten about it. However, you should never call the phone number on any fake invoices or provide your credit card details over the phone to anyone.

For those who are curious about the phone number on a fake invoice, Avanan recommends that users look up the phone number in a search engine first. Also, you can check a company’s website to see if the phone number provided on the invoice matches the one listed on their site.

Another big thing to look out for when it comes to phishing emails is a sense of urgency. Cybercriminals and scammers often give potential victims a short time frame to respond to their messages — this is a major red flag in regards to phishing scams and emails.

Now that Avanan is raising awareness to the fact that cybercriminals are abusing legitimate services to send out phishing emails, the companies being impersonated will likely require users to provide even more details when signing up to avoid having their services being misused. 

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.