Gmail users have been warned of a surge in image-based attacks, TikTok users are facing a VIP upgrade offer threat, and Lastpass has urged users not to change their master passwords as a you’ve been hacked email circulates. Now, security experts at KnowBe4 have issued a warning for PayPal users as cybercriminals use a genuine PayPal email address to send an invoice. Paypal itself has responded to this attack with a ‘do not pay, do not phone’ warning. Here’s everything you need to know about the latest scam that could prove costly if you don’t follow the advice given.
PayPal Invoice Attack — What You Need To Know
The latest PayPal attack warning dropped into my email from the folks at KnowBe4 this week, informing me to be aware of a scam that purports to be from PayPal and is even delivered from a genuine PayPal email address. “You receive an email from a real PayPal email address,” the email warned, which “contains an invoice for a large purchase you did not make, and a phone number for you to call if you want to dispute the charge.”
This may well sound familiar, not least as this type of TOAD attack is something I have detailed before. A Telephone-Oriented Attack Delivery threat usually contains a PDF invoice or other seemingly official document, along with messaging that uses urgency and fear of financial loss to persuade victims to call an adversary-controlled phone number.
Indeed, the actual PayPal version of the TOAD attack is not new either. I have warned again and again of the dangers of this scam. But nevertheless, it would appear, the very same attack is doing the rounds once more.
“Cybercriminals create a PayPal account and use it to send you a fake payment invoice,” KnowBe4 warned, “the email you receive is real, but the invoice is not, and if you call the phone number in the email, you will not be connected to PayPal’s support team.” Instead, you get through to a threat actor impersonating a PayPal support worker but whose aim is to relieve you of your credit card details in order to refund you, or even ask for a fee to fix your ‘hacked’ account.
I have approached PayPal for a statement, but in the meantime, it offers the following advice for users when it comes to this kind of TOAD attack:
“If you receive a suspicious invoice or money request, don’t pay it. And don’t call any phone numbers stated in the invoice note or open suspicious URLs. Report any unwarranted invoices or money requests by logging in to the PayPal website or the PayPal app.”
