Oh well. And thanks for that.
Just today I got an email about a class action lawsuit against StubHub. While it’s probably legit, I didn’t click any links to join it. If StubHub loses, the ruling may be in the millions, and I have no idea what it’s about. And I don’t have a beef against StubHub. The lawyers would get half and the individual might get $50. I’ll pass thank you.
Highlight the text and press Shift-F3. You may have to press the key sequence 2x or 3x. Quick and easy.
So I now work for a Very Large Global Company and we have to complete regular mandatory compliance trainings from Infosec on not taking candy from phishy strangers. Ironically we also got some very urgent updates from the same IT group that we had to change our passwords immediately! That one was genuine.
It really only takes one dumb employee out of 100,000 to subject an entire company to ransomware.
One thing I noticed is that your screenshot depicts the Paypal, Twitter, Snapchat, Facebook, and Linkedin icons. There is also a broken image icon on the top left.
The fact that some images are displayed flush with the text content means your browser connected to the internet and downloaded the image from a webserver. Whoever wrote the email and embedded the image link specified where your computer downloads the image from. Some images such as the SVG document format can run scripts and are a vector for malware, but in all likeliness a browser will protect you from that threat by refusing to load the image and may even notify you that the email is suspicious if it tries to run scripts. It is possible but unlikely the broken image on the top left was not loaded by your browser as a security precaution. I wouldn’t worry about getting malware from the images.
The thing you should worry about is that when your browser downloads the images, the webserver can record that you downloaded the image. Every time you download something you have to send data just like you have to put a return address on an envelope for snail mail. Let’s say the phisher hosts the images on his own webserver. In the email he uses a link that is unique, like example.com/paypal-logo_bobsmom101email.jpg. Your browser automatically downloads the images from the phisher’s webserver, but refuses to run any scripts or malware. The phisher now has a record on his webserver matching your IP address to your email. Now the phisher knows
a) you opened the email - meaning it got past your automated spam filters, your email is active, and you were interested in the subject line
b) your IP address and possibly (probably?) your email client or browser of choice
and can use this information in future phishing attempts, or can sell this information.
~Max
Backups!
~Max
I’m sure there are a few of those lying around in odd corners. 
It’s concerning that you don’t even have to open an email anymore to trigger some of this. Many mail clients like Outlook or Mac Mail have a preview mode. I’ve noticed that those don’t automatically download images and I like it that way.
Maybe I’m thinking of the iPhone text message hack that meant that simply receiving a text message was enough to compromise your phone! Apple had some 'splaining to do about that. It was a big black eye for them.
Thanks, I guess 
That’s depressing. 
I wouldn’t even have opened it if it had been in my spam folder. We’ll have to see whether now there is a flood of similar crap.
Same here. I have three phones and 6 or 7 gmail accounts and I never get any of this stuff. I may get two pieces of spam a year but I never bother to look at them. I can’t remember ever getting a scam phone call.
I just got my first such email – as described in the OP – today.
Wow. Yeah. If it wasn’t for the “Hello, PayPal User” this thing looks ridiculously legit. Even the originating IP Address resolves to a PayPal [dot] com domain.
Here’s the ask:
We’ve detected that your PayPal account has been accessed fraudulently. If you did not make this transaction, please call us at toll free number +1 (888) 826-2370 to cancel and claim a refund. If this is not the case, you will be charged $600. 00 today. Within the automated deduction of the amount, this transaction will reflect on PayPal activity after 24 hours. Our Service Hours: (06:00 a. m. to 06:00 p. m. Pacific Time, Monday through Friday).
But my PayPal account shows absolutely no such transaction, so … yeah … scam. The 888 phone number also resolves to nothing and nobody. I may ring them up, though. They’re probably decent, honorable, and interesting fellows 
All “scammer speak”.
It’s amazing how many red flags they can cram into a short paragraph.
Also, those leading zeros in the service times when using am/pm.
ETA:And the space after the decimal in $600.00
Anyone using a time format of 0600 wouldn’t need to add the am, and the 0600 pm would be 1800.
Something I missed: Pacific Time doesn’t specify PDT or PST.
Also, I would expect them to use Central Time. 6:00am Pacific would be 9:00 Eastern
I was under the impression that tracking if you’d opened the email was something that had been resolved. Previously webmail providers would block images from untrusted sources, but now they don’t tend to do so. I had assumed they did something clever like loading the image once without the mail being opened, and then keeping it cached or something.
That’s the main way I can think of to track if you’ve even opened an email, as surely any decent email client won’t run JavaScript in HTML messages. Heck, I’d want the server to strip out any script tags.
If they already know the transaction is fraudulent, why wouldn’t they just void it and warn the consumer? “We detected a fraud, but are about to charge you for it anyway”. Yeah, right.
That’s one of the red flags @Mangetout listed in a recent video.
Flag #4
Great video.
But I tend to be wary of advice from an unseen person whose voice is strongly reminiscent of the spokesman for an obscure totalitarian community where visitors mysteriously disappear.
Here’s my take on the scam, and I’m pretty sure I’m right.
The e-mail is from PayPal. ANYONE with a PayPal vendor account can use PayPal to send a customer an invoice. It’s not binding, no money changes hands, it just gives the customer a bill to pay, what is known as a pro forma invoice.
If I am a person or business with a PayPal account that allows me to accept PayPal, I can send my customer an invoice from Ann Hedonia with a description that says “ticket for group event dinner on July 3rd”. This is especially useful if I’m selling to businesses that require an invoice to cut a check.
The scammer created a PayPal account with the customer name “Billing Department of PayPal. The scam message, including the fake phone number, is in the optional field -intended for a description of the invoice-that can be filled out by the account holder.
The email seems to be from PayPal because it was sent through PayPal by a customer running a scam. That’s probably also how it made it through the scam filters. While the phone number in the message field is fake, it was filled out by the customer, the links at the bottom of the email are real.
It’s an incredibly, easy, low tech and effective way to run a scam. Unless I missed it upthread, I’m the first to catch on as to how it worked.
Aha! Thanks @Ann_Hedonia ! The main thing that bewildered me (and made me so apprehensive!) was how the scammer managed to spoof the Paypal address successfully. Yours is the first plausible explanation I’ve seen. Very clever, and I hope Paypal puts in some safeguards.
So now I’m wondering exactly how the spammer sends the messages. Has (s)he hacked the Paypal customer database ? If he/she’s using the Paypal server to send the spam, can he/she upload a list of recipients from email addresses purchased on the dark web, for example?