At first glance, the email looks like a textbook phishing attempt. Subject line: “Invoice from Help those affected by the California Wildfires. Body text: “‘Help those affected by the California Wildfires’ sent you an invoice for $35.00 USD.” A button in the email reads “View and Pay Invoice.” Who in their right mind would click that?
In fact, the email really is from PayPal (firstname.lastname@example.org) and there really is an invoice waiting for you in your PayPal dashboard. The transfer is already pending, even if you never clicked that dreaded button.
I should know: It happened to me this weekend. I was able to resolve it easily enough but, being a reporter by training, decided to put on my journalist hat and try to understand why this is happening, or at least what PayPal is doing about it.
For starters, a basic search of Twitter and user forums suggests I’m not alone, and this scam isn’t new. The organization in question isn’t always DirectRelief (GoDaddy and World Health Organization have also been impersonated), but the general email template remains consistent. (The spelling and copy editing, not so much.)
Someone sent me a legitimate Paypal invoice. Apparently they only needed my email address to do that?— Derek Slenk (@derekslenk) August 31, 2020
Took a bit to figure out how to cancel; I was worried for a hot minute
.@AskPayPal PayPal doesn't seem to have a reporting pathway for real invoices from fraudulent accounts. There's a dodgy California Wildfires one going around with deliberate text obfuscation. Stay frosty, folks. pic.twitter.com/3Dwb6LKeLS— Bill Eager (@beager) August 30, 2020
In a statement to Engadget, a PayPal spokeswoman acknowledged the scams. “We are aware of this and believe it to be a common scheme leveraging a brand name,” the spokeswoman said. “We take every instance of potential fraudulent schemes seriously, have worked to remove the incorrect invoices, and ensure our customer's information is secure.” The representative continued, alluding to preventive measures in place: “In addition to employing a range of sophisticated proactive detection and mitigation methods, if a situation does occur we’ll take swift action to protect our customer’s accounts.”
The spokesperson declined to clarify what PayPal’s fraud detection tools include. She also did not respond to questions asking what guardrails prevent someone from sending an invoice. It would seem, barring further clarification from PayPal, that anyone can invoice anyone.
If that’s the case, your best recourse might be of the reactive sort: disputing the transaction through PayPal. Which is hardly a satisfying solution. It’s worth a reminder that PayPal, a company with a market cap of $239.5 billion, does not have 24/7 customer service. Its Resolution Center is not available in the mobile app — the web dashboard only — and you need to wait for the transaction to cross the threshold from pending to complete for it to even be reportable. PayPal clearly has a fraud problem. But until the company improves its detection tools, it’s up to customers to play whack-a-mole.