Reply With QuoteIt's a scam, as you probably suspected. Just delete it.
https://scammer.info/t/paypal-invoice-scam-2/110186
I've just received a very strange email from Paypal. It came from a bona fide PayPal address: service@paypal.com
I'm not buying anything from this seller ('Killo Carter'), nor best I can tell never have. So I haven't phoned PayPal.
Hello, killo Carter
Billing department Of PayPal sent you an estimate for £650.00 GBP.
Seller note to customer
According to the information, your PayPal account may have been illegally accessed. GBP 650. 00 has been deducted from your account to cover the cost of EBAY E GIFT CARD. This transaction will appear on the Payment activity page in the amount that was automatically deducted after 24 hours. If you think you did not make this transaction, call us right away at+44 800 058 4155, or visit the PayPal Support Center for assistance. Our Business Hours: (06:00 a. m. to 09:00 p. m. , SUNDAY through SATURDAY)
Don't know this seller?
You can safely ignore this estimate if you're not buying anything from this seller. PayPal won't ask you to call or send texts to phone numbers in an estimate. We don't ask for your credentials or auto-debit money from your account against any estimates. Contact us if you're still not sure.
Has anybody else received anything like this ? Thoughts anyone ?
Last edited by Seiko7A38; 16th October 2022 at 12:47.
It's a scam, as you probably suspected. Just delete it.
https://scammer.info/t/paypal-invoice-scam-2/110186
Thanks. Two things disconcerted me:
1) It appears to come from a genuine PayPal address.
2) It just so happens that I presently have £659 in the current account connected to my PayPal.
I suspect that you'll find that, while the FROM: field in the RFC822 headers may look legitimate, the SENDER: field will not be. Or perhaps that the "lowercase L" is actually a "digit one". It certainly didn't originate from a bone fide PayPal address, even though it may look like it.Originally Posted by Seiko7A38
Scam.
If you click on the "view your estimate" link it becomes very obvious that it is a scam...
Had the same a few days back. Just binned it.
I knew it was a scam, but like you, thought they’d faked the address well to make it look genuine.
What does the address look like when you hit reply, always found that an easy way to be sure.
Sent from my iPhone using Tapatalk
Two general things:
(1) The only way to really discover whether or not an email came from whom it purports to have come from is to examine its raw source code and to check the train of headers contained therein[1]. Genuine email addresses in the header prove nothing in and of themselves.
Many consumer mail clients seem to be making raw source information harder to extract but if you can get it then it is possible to verify it that way.
(There are also standards like DKIM, SPF and DMARC which can be of use if your mail client properly supports them and makes it clear if a particular email is compliant with them or not).
(2) Even if you are certain that an email came from the legitimate source (e.g. an email that purports to be from PayPal was actually sent from PayPal, or an email that purports to be from YouTube was actually sent from YouTube), this does NOT give an absolute guarantee that it is not a scam!
It is potentially possible for scammers to manipulate a platform into sending emails for them that look real but are still scams. This has happened at YouTube recently where channels have been hijacked using this method.
Anyway, regardless of the reply address, this one is definitely a scam! :-)
Footnote:-
1: Here, as an example, are the raw headers from a genuine email sent to me by PayPal (with some redactions). If you can't get this sort of stuff out of your mail client then consider moving to a better mail client/provider.
Code:Received: with MarksMailServer Connector; Sat, 15 Oct 2022 18:38:38 +0100 Received: from mx4.slc.paypal.com ([173.0.84.229]) by mail.marksdomain.net with MarksMailServer ESMTP; Sat, 15 Oct 2022 18:38:36 +0100 DKIM-Signature: v=1; a=rsa-sha256; d=paypal.co.uk; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; i=@paypal.co.uk; t=1665855515; h=From:From:Subject:Date:To:MIME-Version:Content-Type; bh=6vg/DOHuPqXXxK8fMe9Q40EtkcubmAv573XbY/EZ2A4=; b=ZL2W8avWmnET1A0mDk60MmlWU/QmXkAN82F0vg/mYDZ8NeSBEEKqBz34go2FSwFX nDt+DKx7k6vuB0eCO2ycIuBdoSr/y5p49Rr/Uj4JOwJKiBeRywY4dg3aHHb28kA7 +/ZqJ3PGZJbeXFkA06S92v/lweE/4Gu9PE6WUescg60K0F4BlntBtsOowtNKEfxo F6BNx8HjKlD29lx/EnT/hv+TolxonHUguLSFVHpVjr5T3tlLJGjI4sKBtB63ngFB GtEs2uhk+Ati+hjcr877USHi75GA2J4LQYbmT6YC2LVWFxTQ62Y3fTvHbecH1GhQ 4f09ym+XnaCyBh6//oiwnw==; Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="UTF-8" Date: Sat, 15 Oct 2022 10:38:35 -0700 Message-ID: <0B.31.31736.B10FA436@ccg13mail06> X-PP-REQUESTED-TIME: 1665855507882 X-PP-Email-transmission-Id: 3078e8be-4cb0-11ed-af78-3cfdfeef7850 PP-Correlation-Id: a01f045984bed Subject: Your Pay in 3 payment confirmation X-MaxCode-Template: PPC002220 To: Mark Rousell <mark's email address> From: "service@paypal.co.uk" <service@paypal.co.uk> X-Email-Type-Id: PPC002220 MIME-Version: 1.0 X-PP-Priority: 0-none-true AMQ-Delivery-Message-Id: nullval X-XPT-XSL-Name: nullval Received-SPF: pass (mail.marksdomain.net: domain of paypal.co.uk designates 173.0.84.229 as permitted sender) client-ip=173.0.84.229 Return-Path: <service@paypal.co.uk>
Last edited by markrlondon; 16th October 2022 at 16:12.
That will just show what the REPLY TO: field is set to, and really proves nothing. Most email clients allow the sender to set that field to whatever they want.
It's a real invoice and a real PayPal account - anyone can create an account and an invoice it means nothing.
The scam is to get you on the phone and get you to install software and then take over your accounts.
(I received the same invoice).
Last edited by Alansmithee; 16th October 2022 at 18:45.
Do you know if the email was sent via PayPal's system or directly by the scammer?
Reason I ask is, if sent via PayPal, one might have hoped that PayPal would detect and block usernames like "Billing department Of PayPal".
It's sent directly via Paypal's system - amazing as it seems Paypal does not prevent you setting the display name as this - the underlying account name could be anything.
What they also do is use the note field to provide more information as if it's from paypal.
They use a range of freephone numbers and each time takes you throw to the scammer - I've done it.
Good grief.
There is something very typically "US new tech" about leaving such obvious risks whilst complying super-fully with the more direct regulations.
Fun. ;-)
I just received another fraudulent estimate from 'Killo Carter', purporting to come from Paypal - this time for £550.
I immediately deleted it and then this one appeared in my email inbox:
More as a safety measure, I've since removed my bank and credit card details from my PayPal account. I don't use it much, nowadays anyway (only for Buyee / Yahoo Japan). If everybody who receives these SCAM emails does the same (and effectively stops using their service), perhaps PayPal will get off their arses and do something about it.
Last edited by Seiko7A38; 19th October 2022 at 12:24.
Posting Permissions
