I got a ‘verified’ PayPal email, but it was a scam. Here’s how I knew

I got a ‘verified’ PayPal email, but it was a scam. Here’s how I knew

Byharoun12

What you can do about it Fortunately, a lot of the other common advice about spotting and avoiding email scams still applies in any scenario: Assume it’s a scam: It’s natural to panic when you get a message about unexpected activity on your account, and this can lead to rash actions and mistakes. For any…

Spread the love

What you can do about it

Fortunately, a lot of the other common advice about spotting and avoiding email scams still applies in any scenario:

Assume it’s a scam: It’s natural to panic when you get a message about unexpected activity on your account, and this can lead to rash actions and mistakes. For any account-related email or text message, your default posture should be suspicion.

Investigate the fake support number: When I searched the web for the phone number in the fraudulent PayPal email, I found it on Better Business Bureau’s Scam Tracker site, which reported on the exact kind of bogus email I’d received.

When in doubt, visit the real website manually: Don’t call the number or click the login button in a suspicious email. Instead, type the company’s website URL directly into your address bar or look up its official customer support number. (Beware when searching on Google for the support number, as that can lead to more scams.)

Look for other warning signs: In my case, the PayPal email had a bunch of other suspicious red flags:

  • Weird grammar, like this: “If fine, you may ignore. Auto pending bill accepted from this account.”
  • Unrecognized “to” email address: While the email came from PayPal, it was addressed to a “receipt3” at a domain I didn’t recognize.
  • Generic greeting: Ironically, PayPal’s email footer includes a note that says “Emails from PayPal will always contain your full name,” but this one didn’t. (Some phishing schemes do include personal information gleaned from the dark web, but generic messages are even more likely to be scams.)

Get a second opinion: One neat use of AI tools like ChatGPT is to post a screenshot of a suspicious email and ask if it’s legitimate. The AI bot will likely pick up on all the above factors and confirm that it’s a scam.

Asking ChatGPT whether a scam email is in fact a scam email, with the following answer: "Yes, this is a scam. The email you received is a classic phishing attempt dressed up to look like it's from PayPal. A few giveaways: Weird phrasing and formatting: The message is clunky "Auto pending bill accepted from this 1. account" and "Your New Account added you to the Crypto Wallet account" are not phrases PayPal would use. Legit companies write carefully. 2. Urgency and fear tactics: It tries to spook you with a large transaction (0.45) and dangles a phone number for "support." Real PayPal emails won't throw in random phone numbers for you to call. 3. Spoofed "From" address: Just because it says service@paypal.com doesn't mean it really came from PayPal. Scammers often forge the "From" header. What matters is the actual sending server, which you'd see in the full email headers. Unless the DKIM/SPF/DMARC records match PayPal's, the message is fraudulent. Gmail showing "signed-by. paypal.com" can sometimes be faked too — scammers exploit lookalike domains (like paypal.com with a capital i) or hacked mail relays. 4. Reply-to mismatch: If the reply-to address is different from the "From" address (as you spotted), that's a huge red flag. They want you to respond somewhere else, not to PayPal."
ChatGPT identifies the scam (except the DKIM records were correct).

Jared Newman / Foundry

Treat remote desktop software as a giant red flag with air horns and streamers attached to it: If a supposed support representative—whether for PayPal or otherwise—tells you to install software to help them diagnose the problem, you’re almost certainly about to unleash untold damage to your computer and to your digital life as a whole.

Take a breath: Scam emails tend to encourage immediate action in hopes of inducing a panicked reaction. My main advice here is to stop, breathe, collect your thoughts, and never act on impulse. (Even the most experienced security pros can fail to do this sometimes.) If I hadn’t taken a beat to think it over, this PayPal email might’ve gotten me.

This column first appeared in Advisorator, Jared’s weekly tech advice newsletter. Sign up to get tech advice like this every Tuesday.

Spread the love

Similar Posts