It’s usually easy to spot a scam. Typos, poor grammar, unsolicited attachments and spoofed email addresses, among other indicators, are all warning signs. Imagine my surprise when an email arrived that didn’t display any of these traits. It was an attempt to scam me out of $479 in PayPal funds. This is how it works. Luzenta.com
PayPay sent me an email with the subject “Billing Department updated you invoice”, followed by an invoice number. (I’ll keep it confidential to protect myself from being identified as an active receiver). The email contained an estimated amount of $479 as well as a link to view my estimate on PayPal. It claimed that the charge was made to Coinbase. This is noteworthy considering that PayPal has been involved in cryptocurrency.
I immediately thought that it was a phishing scam email. It had a hidden URL and an email header that was fake. However, I was able to verify that the email came from PayPal and that the URL linked to my PayPal invoice actually referred to my account. This wasn’t a scam website trying to trick me into giving my login credentials.
Next, I thought that my account was compromised and that I would need to change my password and attempt to reverse the fraudulent charge. This is what gives the scam its clever twist. It passes the traditional phishing test and uses PayPal’s billing system against the user.
The seller note at bottom instructs the potential victim to call a help desk number in order to cancel the transaction. The trap or hook is in the phone number. It’s not associated with PayPal. Knowing this, I called the number to learn more about the scam.
The woman replied simply “PayPal” and was then urged to authorize the fake invoice payment. After being pressed, she was surprised to reveal the scam. This was likely due to the fact that it was a war of attrition and it was not practical to continue the ruse after the game was over.
This is how it works. Although it is unlikely that all users will fall for this scam, I am confident enough to know of others who might. PayPal attaches a warning label to these types invoices as shown in this image.
“Don’t know the seller?” The note states that you can ignore the estimate if this seller isn’t your buyer. In an estimate, PayPal won’t ask for your phone number or text messages. For any estimate, we don’t need your credentials or to auto-debit funds from your account. If you are still unsure, please contact us.
It is against my mental reflexes to ignore an invoice, whether it is real or fake, but in this instance, it’s the right thing to do. Do not click on the “Accept the Estimate”, and do not call the number.