This kind of scam is astonishingly easy for cybercriminals to set up and it avoids sending spoofed emails or tricking you to visit bogus websites. It's because the crooks use a PayPal service to generate their initial contact via official PayPal servers.
A spoofed email is one that insists it’s from a well-known company or domain, typically by putting a believable email address in the From: line, and by including logos, taglines or other contact details copied from the brand it’s trying to impersonate.
Remember that the name and email address shown in an email are just part of the message itself, so the sender can put almost anything they like in there, regardless of where they really sent the message from.
A spoofed website is one that copies the look and feel of the real thing, often simply by ripping off the exact web content and images from the original site to make it look as similar as possible.
Scam sites may also try to make the domain name that you see in the address bar look at least vaguely realistic, for example by putting the spoofed brand at the left-hand end of the web address, so that you might see something like paypal.com.bogus.example, in the hope that you won’t check the right-hand end of the name, which actually determines who owns the site.
Other scammers try to acquire lookalike names, for example by replacing W (one W-for-Whisky character) with VV (two V-for Victor characters), or by using I (writing an upper case I-for-India character) in place of l (a lower case L-for-Lima)
But spoofing tricks of this sort can often be spotted fairly easily, for example by:
Learning how to examine the so-called headers of an email message, which shows which server a message actually came from, rather than the server that the sender claimed they sent it from.
Setting up an email filter that automatically scans for scam like emails in both the headers and the body of every email message that anyone tries to send you.
Browsing via a network or endpoint firewall that blocks outbound web requests to fake sites and discards inbound web replies that include risky content.
Using a password manager that ties usernames and passwords to specific websites, and thus can’t be fooled by fake content or lookalike names.
Email scammers therefore often go out of their way to ensure that their first contact with potential victims involves messages that really do come from genuine sites or online services, and that link to servers that really are run by those same legitimate sites.
The “money request” scam
Here’s how the PayPal “money request” scam works:
The scammer creates a PayPal account and uses PayPal’s “money request” service to send you an official PayPal email asking you to send them some funds. Friends can use this service as an informal but relatively safe way of splitting expenses after a night out, asking for help paying a bill, or even to get paid for small tasks such as cleaning, gardening, pet sitting, and so on.
The scammer makes the request look like an existing charge for a genuine product or service, though not one you actually ordered, and probably for what looks like an unlikely or unreasonable price.
The scammer adds a contact phone number into the message, apparently offering an easy way to cancel the payment request if you think it’s a scam.
So, the email actually does originate from PayPal, giving it an air of authenticity, but entices you to react by phoning the crooks back, rather than by replying to the email itself. In this example, the product you’re supposed to have purchased is the name of a genuine consumer anti-virus program, with the number 365 tacked on the end to give it the look of an online-only cloud-based product.
Given that you are quite aware that the payment request was never authorized by you, you may well report it to PayPal.
The cybercriminals have simply found a way to abuse PayPal’s free Money Request service to generate emails that really do come from PayPal, that include real PayPal links, and that use the message field in the request to give you an official-looking way to contact them directly.
What to do?
If simply you do nothing, then nothing gets paid out and no one receives anything, so the scam fails.
We nevertheless recommend that you report bogus requests of this sort to PayPal, which will help to get the offending account closed down and to ensure that no one else either pays up through fear or calls the given phone number “just in case”. (You can visit PayPal’s Report potential fraud page for further information, or forward suspicious emails to firstname.lastname@example.org.)
Whatever you do, don’t send any money, and definitely don’t call the criminals back, because their true goal is to establish direct contact so they can start working you over to trick you into revealing personal information that could ultimately cost you a lot of money
Stay safe out there