Received a Bitcoin invoice from PayPal? It is (unsurprisingly) a scam

Criminals are always trying to get their hands on your hard-earned money, and their latest trick is simple – send a legitimate invoice via PayPal for a valuable item you didn’t buy. So how does this scam work? How do scammers do this using a genuine PayPal invoice?


PayPal billing gets scammers into your inbox

Traditionally, fraudsters and spammers have been relatively easy to spot. If they aren’t flagged by your email provider’s spam filters, there are details that give them away if you know what to look for.

The emails are often spoofed – meaning the email address in the “from” field is not real, and sometimes they come from domains that look similar to each other. The language tends to be strange, and they will promise you love, wealth beyond your wildest dreams, or the opportunity to help a temporarily impoverished former head of state. In almost all cases, they will contain links that, if clicked, will either install malware on your computer or try to trick you into giving away your bank account details. They are fake, and it’s easy to tell.

Invoices from PayPal are different. PayPal is a trusted organization, without which e-commerce would grind to a halt. Emails from PayPal will always reach your mailbox regardless of your provider. There is no spoofing involved, and no questionable links. It is legitimate and therefore it is difficult to say that it is a scam.

And anyone can create an invoice using PayPal. So that’s exactly what cybercriminals do.

Scammers can bill you via PayPal

After clearing your spam filters and with no obvious giveaways that the invoice is a scam, you may end up with something like this in your inbox.

You verify that the disconnects are real and feel confident, click one to see the real PayPal invoice on the real PayPal website. There you can either pay or cancel the invoice.

This invoice is for Bitcoin and purports to be from “Bitcoin Exchange”, but we have seen other fake invoices for gift cards, and for charges made by PayPal itself. For scammers, the options are endless, and it’s entirely possible that some people or businesses will actually click the Pay button.

How do PayPal invoices work?

If you regularly use PayPal on your PC, you may have deposited that you don’t even need to log into your PayPal account – just click the big blue button and the required amount will magically disappear from PayPal -your balance, never to be seen again.

PayPal also provides a useful QR code for invoices. Not only can you be invoiced via email while on the go, but you can also access the invoice directly on your smartphone. Just aim the camera at the blue square! Small print on a 5-inch screen makes you even more likely to click the button. As PayPal’s tagline makes clear, it’s simple: “Scan. Pay. Go.”

At this level, the scam is simple: get people to click a button, and receive a large sum of money in return.

How do scammers use fake PayPal invoices?

Even if you don’t pay the invoice, the scammers have several tricks to catch you. The email also contains a message from the seller, indicating that the payment has already been received, and contains the text “Call us [sic] for any dispute regarding the payment and issue a refund on [phone number]”.

If you ignore the random capitalization for the moment, it’s possible that you might be concerned enough to call the number, whereupon one of two things could happen.

The scammers may try to get more information out of you – either through a fake identity verification process, or by asking for your bank details, ostensibly so they can issue a refund.

They may also try to persuade you to install an external management tool on your computer. You can probably guess who you hand control over to…

Since both the email and the invoice are really from PayPal, it’s not impossible that some people will be scammed. Don’t be one of them.

Don’t fall for PayPal invoice scams

Without obvious clues that the invoice is not genuine, do your research before paying the invoice or calling the number.

The first thing you should ask yourself is whether you bought or tried to buy the item in question. If the answer is no – because spending $499.99 on crypto through your PayPal account is not something you can imagine doing – it’s a scam.

You can also examine any contact details in the email and invoice.

With our sample invoice, the assumed seller’s email address is [email protected]. The hosting domain is currently inactive, but a quick look at the Internet Archive Wayback Machine revealed that it used to be a WordPress site that hosted random Chinese snippets and other scraps from tutorials. In short, it does not inspire confidence that the seller is genuine.

Another clue is the phone number. Using a free research tool, we were able to determine that it was assigned the same day the email was sent, and we expect it to be reassigned shortly thereafter.

Just searching for a number on Google can reveal that it is often used by scammers.

How did PayPal scammers get my email address?

Maybe you advertise your email address on Facebook, Twitter or a personal blog and it was scraped from there.

It’s far more likely that your email address was exposed in a data breach. Businesses are hacked all the time, with customer information exfiltrated from their systems with alarming regularity. In the 2022 Samsung data breach, for example, criminals were able to steal customers’ names, contact and demographic information, dates of birth and product registration information – which may have included gender, precise geolocation data, Samsung account profile IDs, usernames and more.

According to haveibeenpwned, the person who gave us the sample email has had their email address compromised in at least 10 different breaches.

PayPal allows businesses to bulk invoice in batches of up to 1,000 at a time (of the same invoice) by uploading a CSV file. It would be easy for the would-be fraudsters to add a name (or username) to all the invoices, but they don’t – meaning they likely don’t have the target’s name. The only known breach that exposed their personal email but not their name or username was the Patreon hack in 2015.

How to protect yourself from fake PayPal invoices

PayPal provides a simple and common sense guide to email scams; however, the billing conclusion is not listed yet.

Here is our advice:

  • Do not click through to invoices from links in an email – even if they are genuine links. You can check PayPal invoices by logging into the service in another tab or browser.
  • Do not pay an invoice unless you are 100 percent sure what it will be used for.
  • Do not call, email or otherwise contact the “seller”.
  • Keep your primary email address private.
  • Use email aliasing or an email protection service to provide different email addresses to different companies.
  • Check haveibeenpwned regularly to see if your personal information has been disclosed. If an email address is compromised, disable it.

PayPal billing scams are annoying and dangerous

Opening an email to find a real PayPal invoice for something you didn’t buy is annoying at best, and could lead to you losing money at worst. Take care of your social media, email accounts and internet security so you can deprive criminals of the details they need to target you effectively.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *