PayPal allows anyone to send you an invoice containing the text of their choosing. In this attack technique, they send you an email suggesting that they already have your money, and you should call the telephone number in their lure if you have a problem with that.

Because PayPal is acting as a (clueless) accomplice in this scam, the email contains markers of legitimacy (including the “This message is from a trusted sender” notice):

If you call the attacker’s phone number, they will solicit enough information to actually rob you.

In the current version of the Outlook website, you can choose to report this phishing email. Because it really was PayPal that sent this phishing lure, choosing “Report and Block” will block all future email from PayPal, including emails that aren’t scams, which may not be what you expected to happen.

Stay safe out there.

-Eric

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-, working on Office, IE, and Edge. Now a GPM for Microsoft Defender. My words are my own, I do not speak for any other entity. View more posts