A’e-mailapparently authentic, sent from an official address belonging to PayPal – [email protected] – and delivered by its servers, is thetrigger of a new sophisticated scam which exploits some technical mechanisms of the digital payments giant. The message sent to the user claims that a “automatic payment is no longer active” and, at the same time, suggests that the purchase of an expensive product, such as a smartphone or a computer, for a high sum was made from his account. The objective for which cyber criminals send this message is to induce the user to contact a telephone number that pretends to be PayPal assistance. From there a more complex fraud can proceed, based on social engineering, that is, on the use of psychological manipulation to push the user to unknowingly carry out actions against his own interest. In this in-depth analysis we analyze how this is possible that a fraudulent email is technically legitimate, why anti-spam filters do not intercept it, which PayPal function is being abused and, above all, what concrete checks need to be done to understand if your account is really at risk or if you are faced with a well-thought-out scam.
How the new PayPal email scam works
The heart of the scam lies in PayPal’s “Subscriptions” featurea tool designed to allow merchants to manage recurring payments. When a subscription is suspended, PayPal automatically sends an email to the subscriber to let them know that automatic payment has been turned off. Scammers exploit this legitimate flow by creating a fake subscription and targeting a specific field, the Customer Service URL, which would normally only contain a web address. Instead of just a link, this field is altered to include additional text: a purported purchase, a very large amount, and a phone number to call to “cancel” or “dispute” the payment. The use of Unicode characters, i.e. symbols that allow letters to appear in unusual shapes or in bold, serves to make the message more credible and to evade automatic keyword-based checks.
The result is aemail that actually comes from the address [email protected] and which passes the main security checks such as SPF (this check verifies that the sending server is authorized), DKIM (verification to ensure that the contents have not been modified during transport) e DMARC (which coordinates these checks to reduce spoofing, i.e. falsification of the sender). Since the email actually originates from the PayPal infrastructure, all of these checks are valid and email clients have no reason to report it as spam.
However, a crucial question remains: why does the email reach people who have never signed up for that subscription? Header analysis shows that the initial recipient is an address attributable to a mailing listprobably created with Google Workspace. A mailing list works like a group: every message sent to the group address is automatically forwarded to all members who are part of it. This way, the legitimate email sent by PayPal to a fake subscriber is redistributed to a list of potential victims.
The final aim is to then induce the user to call the number indicated in the message. Over the phone, scammers can try to convince the user to provide sensitive data, such as login credentials, or to install malware by making more or less credible excuses. It is a technique already seen in the past, which in this case has been perfected and made more effective by the fact that the starting point is technically authentic communication.
How to defend yourself from the new PayPal email scam
From a practical point of view, How to protect yourself from the new PayPal email scam? The most effective defense is that of do not interact with the contacts in the email. If you receive a message about automatic payments being disabled and purchases you don’t recognise, don’t panic by calling the phone numbers listed and don’t click on any links. The correct check consists inaccess your PayPal account directly typing the address https://www.paypal.com/it/home in your browser or usingPayPal official app and then checking the transaction history. If there are no anomalous charges against you, the email can be safely ignored.
Meanwhile, PayPal said a BleepingComputer to be working to mitigate this specific form of abuse and reiterates that, in case of doubts, the only reliable channel is the assistance that can be reached from the app or from the official contact page:
PayPal does not tolerate fraudulent activity, and we work hard to protect our customers from ever-evolving phishing scams. We are actively mitigating this issue and encourage people to always be vigilant online and aware of unexpected messages. If customers suspect they are the target of a scam, we recommend they contact customer support directly through the PayPal app or our Contact Us page for assistance.
