In brief: Scammers know the best way to get people to fall for a phishing email is to make it convincing and suggest a lack of response will result in financial penalties. A new campaign that uses fake PayPal invoices meets both of those requirements, and it's proving successful.
Krebs on Security reports that the phishing emails claim to be an invoice from PayPal's billing department asking for $600. Most people these days know to check the senders' email address in suspicious messages to see if they look fake, but this one originates from PayPal.com. The email even includes a link at Paypal.com that displays the invoice.
Moreover, the message headers show it passed email validation checks as originating from PayPal, and it was sent through an internet address assigned to the payment company. Not only does this make it an extremely convincing phishing scam, but it should also guarantee the message is delivered and doesn't end up in recipients' spam folders.
The included message might not be worded as professionally as what you'd expect from a major company like PayPal. Nevertheless, it lacks the spelling or grammatical errors that can expose emails as scams.
"There is evidence that your PayPal account has been accessed unlawfully," it reads. "$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number."
Calling the phone number is where the scam begins in earnest. Victims are greeted by a so-called "customer service" rep who doesn't identify any company. They explain that the only way to address the issue and avoid paying the money is to visit a specific website and download a remote administration tool. Anyone who does download this software will soon find they've lost a lot more than $600.
Krebs writes that the invoices appear to have come from a compromised or fraudulent PayPal Business account that allows users to send invoices. The emails' convincing setup means many have already fallen for the scam; there are claims in the comments of people being robbed of over $1,000. The best solution to emails like this one, of course, is to log into the service directly to check for any suspicious activity.
With much of the online world now more tech-savvy than ever before, criminals know their scams need to be much more convincing than pretending to be a Nigerian prince. A recent one in the UK involved random victims receiving fake Microsoft Office USB sticks in realistic MS packaging.