The Scam Exploiting Bitcoin and PayPal Invoice
PayPal Invoice is a service from the well-known payment gateway that allows people to create and send proforma invoices directly from their account: this time it was used to carry out yet another Bitcoin scam.
This is a widely used system for requesting payment for professional services, as it also allows customizing invoices. Those who do not have their own invoicing system and intend to be paid through PayPal can use it to easily create and send their own pro forma invoices.
Trend Micro has a while now discovered that a scam has been circulating that tries to exploit the name PayPal Invoice and certain cryptocurrencies, i.a. Bitcointo steal money from the unwary.
Bitcoin and PayPal Invoice Scams
From a strictly technical point of view, the fraud is very trivial.
In fact, it is committed just by sending a fake email with the sender [email protected] requests payment in cryptocurrencies.
Trend Micro also published a screenshot:
In reality, it is not the real sender [email protected], and the email is not sent from PayPal’s servers or computers whatsoever. In fact, there are easy-to-implement and easy-to-use technologies that allow emails to be sent by entering an email address at the sender’s convenience, so in fact anyone can easily send an email using [email protected] as the sender’s address. In fact, virtually anyone who wants to can send any email with any sender address.
The email obviously contains payment details, so the person receiving it may actually think someone has sent them an invoice from PayPal to pay. Instead, the PayPal invoice doesn’t even exist pro-forma, and it’s just a request for payment from the scammers, who obviously want to collect what they’re paid.
Recognizing the scam involving Bitcoin and PayPal invoice
Fortunately, it is very easy to recognize these scams.
Although the sender may look like PayPalit is actually known that PayPal does not allow cryptocurrency payments on external wallets.
In other words, as soon as the email lists a non-PayPal address as the public address to send cryptocurrencies to, it’s 100% certain that it’s already a scam.
What you should know is that all payments and all transactions involving PayPal only take place within their platform. Therefore, the moment a payment is requested outside their platform, it is very certain that it is a fraud attempt.
Which withdraws money
Since the public addresses of crypto wallets are anonymous, it is not possible to know who the cryptocurrencies will actually be sent to.
The fraudsters count on this very fact that it is not possible for investigators to find out who is behind these fraud attempts.
However, investigators can publicly track any subsequent movements of the tokens once they have been sent to the public addresses listed in the scam emails, in the hope that the scammers will sooner or later make a mistake that gets them detected.
Usually, the main mistake is to move them to a centralized exchange with a KYC requirement, because in this case the exchange’s internal wallet to which they are moved has associated the name and surname of a supposed real person. It has already happened several times that various fraudsters have been framed in this way when they try to sell their collected cryptocurrencies to exchange them for fiat currencies or stablecoins.
The effectiveness of the fraud
As strange as it may seem that such a scam could work, scammers are often ingenious and know well the vulnerabilities of their potential victims.
In fact, one of the features that sometimes makes these attempts effective is that the invoice being sent appears to be related to a commonly used service, or well-known brands. By sending massive amounts of spam email to a very large audience, it is not unlikely that some of the recipients already have some form of contract or service offering in place that would justify a request for payment.
Nevertheless, the fact remains that the moment PayPal appears to be requesting payment from outside its platform, one can be certain that it is a scam.
Trend Micro adds other suggestions on how to best defend yourself.
The first, of course, is to check the URLs of the links the email invites you to click on, because if they’re external to PayPal, they’re clearly dubious.
The second is not to trust what is written in the email and instead go directly to the official PayPal website. If the email address that one’s account is linked to is the same that the email was sent to, then if the proforma invoice was indeed sent by PayPal, it will also appear on the website when you are logged in.
The third piece of advice is even more drastic: never click on links or call phone numbers listed in suspicious emails.
