One of the most common human risk management recommendations is for users to hover over URL links of unexpected messages to see if the involved DNS domain is legitimate or not for the sending company involved.
Beware, that advice doesn’t always work.
As an example, one of my co-workers recently got the following scam message.
It’s a scam message from PayPal asking potential victims to pay an unexpected invoice. They are hoping potential victims believe the message is legitimate and call to dispute the payment. From there, they will either get the potential victim to pay some sort of fee or to give them their credit card information (for a supposed refund), where it is then fraudulently charged.
PayPal lists this scam in their list of many PayPal scams.
You can see in the picture above that the email is sent from service@paypal.com. It’s from the real PayPal service (i.e., paypal.com). If it wasn’t from paypal.com but was claiming it was from paypal.com in the email header, it would have likely been automatically rejected by DMARC checks or automatically ended up in my co-worker’s Junk or Spam email folders instead of his Inbox.
If you aren’t familiar with DMARC, check out these resources:
The email really is sent by email servers/services authorized on behalf of PayPal and paypal.com to send emails.
Note: When these types of scams often arrive as SMS messages, DMARC is not applied.
If you click on any included links within a PayPal scam, it’s likely to point to the real paypal.com domain. Oftentimes, the scam begins with a message indicating that you have an unexpected bill, and you have to click on a link to download the invoice. If you do click on that link, it does take you to paypal.com and does download a legitimate PayPal invoice.
If you call the included number, you WILL NOT be taken to an official PayPal support number. Instead, it will be to a fraudulent call center that may or may not identify itself as PayPal. Usually, the call center scammer is answering for all sorts of branding scams, so they have no way of knowing that you are calling concerning a PayPal invoice. They will ask you to describe why you are calling, which potential victims are very happy to do, and upon hearing the branding PayPal, suddenly become PayPal support technicians.
The scammers are taking advantage of features enabled by the legitimate company that allow them to send fraudulent messages that end up getting sent by the involved legitimate domain. Sometimes they become a fake customer of the involved message sending domain, and it takes a while and a bunch of complaints before the involved legitimate company can remove the fraudulent customer and account. Other times, they are able to take advantage of some sort of messaging feature within the legitimate company’s services. They can send fraudulent invoices, send fake messages using the involved messaging services, and even insert fake messages in the company’s “refund” feature.
Basically, the scammers look for services at legitimate companies that allow anyone to send fraudulent messages to customers and other people without being easily detected or blocked. This type of scam, where a legitimate company’s service is used to send fraudulent messages to customers and other people, has been occurring since nearly the beginning of computers.
Not New
This particular scam, involving PayPal, has been around for many years as well. Here’s Brian Krebs writing about them in 2022. I’m not sure why PayPal isn’t better at detecting and blocking them.
Defenses
Recognize that the common advice of hovering over a link and analyzing it to see if it really does come from the brand domain it claims, in this case Paypal.com, is not 100% guarantee that the message isn’t fraudulent.
Hovering and analyzing is still great advice and should absolutely be done every time, but it’s just the first step in analyzing a message to see if it is legitimate or not. It is not a fail-safe.
If you get any unexpected invoice, contact the involved company using a known legitimate method and never rely on any information sent in the suspected message. Never call the included number. Instead, go to the legitimate website or call a known good phone number for the company.
In the PayPal scenario above, if you go to the real paypal.com website, you will find that there is no outstanding invoice there.
There are many other scams that involve sending fraudulent invoices that originate from the real branded company. I previously wrote about a similar scam involving QuickBooks. Same concepts and defenses apply.
The overall takeaway from this post is that hovering and analyzing URL links is great advice and should always be done for unexpected requests, but it isn’t perfect. Scammers are tricky. Make sure your co-workers, family, and friends know about these types of scams.
