Scam emails will fool you!

Published on
Authors
  • avatar
    Name
    Sharrief Shabazz
    Twitter

So a friend of mine got this email:

Screenshot of spam email on iPhone

At first glance, you might not recognize the weird things about this email. And to someone casually going through their email inbox, the overall aesthetic looks legit. The email address of the sender (service@paypal.com) is legit. And if you happened to click on the "View Invoice" link, you would be taken to an invoice on a legitimate PayPal website.

Screenshot of invoice at PayPal

Clicking "View Invoice" takes you to www.paypal.com which we know is a legitimate website. The reason the email and this invoice both look so legit is: they are legit! They were created using PayPal's tools for sellers & businesses. You see, anyone can create a PayPal account and start sending invoices. An honest business would only send invoices for things you'd purchased. But scammers are hijacking this feature to send you invoices for things you never purchased. And they are trying to trick you into contacting them by adding in messages like "We authorised a payment" and "auto deducted from your account."

The PayPal tools for creating an invoice allow the seller to specify information like who is being billed and what they are being billed for. Those tools also automatically send emails which contain that invoice information. Since those emails are sent by PayPal's tools, they arrive from a PayPal email address. Scammers are taking advantage of these tools to send legitimate-looking emails to potential victims.

The very top of the email is supposed to contain the customer's name. But instead, it has a message that says "Hello, we authorised..." This is because that message is what the scammers entered as the customer name. When you look at the invoice, you can see the Bill to also contains this message instead of a customer name. The scammers are misusing the place where the customer's name goes so they can get the email to say what they want to say.

The scammers also have a 1-800 phone number, which is pretty impressive and speaks to the sophistication of the modern scammer. Please don't call this number, unless you want scammers to call you with other scams

The scammers specified their business name as "Reach us to" which is why the email has the big bold message "Reach us to canceled your invoice". It seems that the scammers created an invoice, then canceled the invoice so that PayPal's tools would send this specific email template which is used for canceled invoices. Under normal circumstances, the email would say something like "Joe's Shoe Shop canceled your invoice."

Unfortunately, it does take a considerable amount of investigation to determine exactly what parts of this scam are legitimate and what parts aren't. Email services like Gmail and Outlook do a generally good job of blocking or filtering out spam emails, but this email was sent by PayPal's systems, and spam filters don't block emails from legitimate senders like PayPal. One way to protect yourself from ever-more sophisticated scams is to remain skeptical of every email you receive. Especially with emails you weren't expecting or emails warning you about money. Always check the email address of the sender, and don't click links if you can avoid it. It's better to go directly to the website and then sign in to your account, or to search the website for information that corroborates the email.

Personally, I take things a step further. I use masked emails for every online service or account that I have. A masked email is a randomized email address that forwards emails to your main email address. For example, if I were to purchase shoes from Joe's Shoe Shop, I would have invoices sent to the masked email address agile.zone3971@fastmail.com. Any email Joe's Shoe Shop sends to that email address will get sent to my main email address, and Joe will have no idea what my main email address is. When the invoice from Joe arrives, my email service tells me which masked email address it was sent to. So I will have greater confidence the invoice is legitimate because it was sent to the email address I gave to Joe. If anyone other than Joe sends an email to that email address, then I would have reason to suspect a scam or suspect that Joe shared my email address with some advertisers without my consent.

Managing my personal email inbox got much easier once I started using masked email since I could auto-categorize emails based on the masked email that received them. And getting rid of spam is as easy as deleting the masked email address that the spam was sent to (and providing a new masked email address on the site I originally gave the masked email to).

I'll write a how-to on masked emails in a future article. They are easier to use than you may think. But if you want to try out masked emails yourself, there are a few services you can use:

If you've got some stories about security, privacy or technology that you'd like to share please let me know and I'll see if I can share my perspective in an article. You can email them to dark.moon8393@sharrief.com.

Stay safe out there!