I got a ‘verified’ PayPal email, but it was a scam. Here’s how I knew | usagoldmines.com

A closer look at the scam email

Jared Newman / Foundry

As CyberGuy’s Kurt Knutsson reported in late June, PayPal is in fact generating these emails… but at the behest of scammers who are abusing the site’s secondary address and profile tools. A couple of Reddit threads have more details on how it all works.

But if you don’t have the time, here’s the gist of it:

• The attacker creates a PayPal account for the express purpose of scamming people.
• The attacker adds a secondary user or new address to the account, but instead of entering an actual username or address, they insert a message about how you need to call PayPal (with a bogus phone number) about the activity.
• The attacker then intercepts the email that PayPal sends for this activity and re-transmits it to potential victims, exploiting a known flaw in how email authentication works.

In other words, while a legitimate address change would prompt an email that said “Address Updated: 123 Main Street,” these scammers are intercepting and producing PayPal-verified messages along the lines of “Address Updated: To ensure the security of your account, call PayPal at (scammer’s phone number goes here).”

The resulting email comes from a real PayPal email address and has a high chance of getting past spam filters, but the message inside is completely bogus. If you call the fake customer support number, the attacker will encourage you to install remote desktop software, which they’ll use to take over your computer and wreak all kinds of havoc.

Where conventional wisdom goes wrong

It’s unclear to me why PayPal is allowing this. If a PayPal user wants to add another address or user profile to their account, you’d think there would be some character limit or address check to prevent spammers from inserting fake multi-sentence messages in their place. (PayPal did not respond to several requests for comment.)

But that’s also beside the broader point, which is that the conventional advice for detecting phishing scams may not always apply.

Microsoft, for instance, says you can spot scam emails by looking for incorrect email addresses or suspicious links. That advice wouldn’t have helped here. Even when I took the extra step of inspecting email headers, Gmail reported no issues with the message’s DKIM or DMARC authentication. It was, in fact, a verified PayPal email.

What you can do about it

Fortunately, a lot of the other common advice about spotting and avoiding email scams still applies in any scenario:

Assume it’s a scam: It’s natural to panic when you get a message about unexpected activity on your account, and this can lead to rash actions and mistakes. For any account-related email or text message, your default posture should be suspicion.

Investigate the fake support number: When I searched the web for the phone number in the fraudulent PayPal email, I found it on Better Business Bureau’s Scam Tracker site, which reported on the exact kind of bogus email I’d received.

When in doubt, visit the real website manually: Don’t call the number or click the login button in a suspicious email. Instead, type the company’s website URL directly into your address bar or look up its official customer support number. (Beware when searching on Google for the support number, as that can lead to more scams.)

Look for other warning signs: In my case, the PayPal email had a bunch of other suspicious red flags:

• Weird grammar, like this: “If fine, you may ignore. Auto pending bill accepted from this account.”
• Unrecognized “to” email address: While the email came from PayPal, it was addressed to a “receipt3” at a domain I didn’t recognize.
• Generic greeting: Ironically, PayPal’s email footer includes a note that says “Emails from PayPal will always contain your full name,” but this one didn’t. (Some phishing schemes do include personal information gleaned from the dark web, but generic messages are even more likely to be scams.)

Get a second opinion: One neat use of AI tools like ChatGPT is to post a screenshot of a suspicious email and ask if it’s legitimate. The AI bot will likely pick up on all the above factors and confirm that it’s a scam.

Jared Newman / Foundry

Treat remote desktop software as a giant red flag with air horns and streamers attached to it: If a supposed support representative—whether for PayPal or otherwise—tells you to install software to help them diagnose the problem, you’re almost certainly about to unleash untold damage to your computer and to your digital life as a whole.

Take a breath: Scam emails tend to encourage immediate action in hopes of inducing a panicked reaction. My main advice here is to stop, breathe, collect your thoughts, and never act on impulse. (Even the most experienced security pros can fail to do this sometimes.) If I hadn’t taken a beat to think it over, this PayPal email might’ve gotten me.

This column first appeared in Advisorator, Jared’s weekly tech advice newsletter. Sign up to get tech advice like this every Tuesday.