You’re giving them credit for things they don’t have to do. They’ll most likely send them out to whatever list of email addresses they have. Some won’t have PayPal accounts and will just delete the message as spam. Those who do have accounts are the actual target.
I’d think they don’t need to hack a database. They send their attempt to whatever list they’re using. If you have a Paypal account, it alarms you. If you don’t, you indignantly respond to the email to tell them so. Both work for the scammer.
I frequently get “I DIDN’T BUY AN IPHONE!!!”/“TAKE ME OFF THIS LIST!!!” emails that are reply-alls to spam/phishing attempts.
Another thing you can do with dodgy emails is to extract the headers (see the instructions here), then past them into a header analyzer, like this one provided by Microsoft. Among other things, like the actual sender address etc., this will also give you information about the path the mail took (so you could look up the originating servers IP and check if it’s registered to PayPal), and the result of SPF/DKIM-checks (just search for ‘SPF’ in the resulting output, there should be something like ‘spf=pass smtp.mailfrom=; dmarc=pass action=none header.from=; dkim=pass’. If there’s anything that didn’t pass there, it’s a possible indication of trouble; the PayPal-SPF record is set up such that a non-matching sender doesn’t force the recipient to discard the mail, but rather, includes a ‘softfail’ option—that is, the recipient (your email-provider) gets to decide what to do, and may not do anything.
If that’s the case, couldn’t PayPal quickly track down the scammer via the credit card and bank account info they provided?
I don’t get them from Paypal, but I get a lot of them from Norton and others telling me “Oh noes, your protection is going to expire unless you give us money! Call now before we charge you $500!” Also a lot of emails that end up in the spam folder that tell me I’ve won fabulous stuff from big retailers.
I’m thinking they would find that the account was opened with stolen credentials. The scammer is not going to be using PayPal to receive the money they are scamming, when you call the fake phone number they will probably give you other payment instructions.
When people use services like Zelle, PayPal and Venmo to send money to scammers, the reaction of these companies is generally “so sad, too bad, you shouldn’t have sent money, we have warnings about not sending money to people you don’t know.
But I have to wonder if PayPal might be a little more on the hook if someone falls for this one, given the way the scammer is using the PayPal software to lend legitimacy to the scam. I’m not sure if the PayPal buyer protection would cover you if you fell for this scam,probably not because the scammer isn’t having you send the money through PayPal… It seems like this one should be on PayPal for allowing the scammer to open a fraudulent account, but these companies are good at dodging responsibility.
But surely a spammer couldn’t just decide to name his/her home computer “service@paypal.com” and send out a bunch of emails to a list, right? That’s how the bad emails are usually easily identified: the “from” address, upon cursory inspection, is obviously spoofed and the real server name is something that often ends in .ru. But in this case the “from” field is genuinely “service@paypal.com.” So doesn’t the scammer have to be using a Paypal server?
I realize I am exposing the depth of my ignorance about how all of this works – looking for enlightenment.
The scammer signed up for PayPal business account probably using fraudulent credentials. The person whose credentials they stole will probably never know, they aren’t using the bank account or credit cards to steal money, just to secure the account which gives them access to the invoicing feature of the software. The actual scam happens off-platform. A PayPal business account allows you to send invoices to anyone with an email address through the PayPal server.
If you had called the number, the scammer would not be requesting payment through PayPal, they would have you buy gift cards and give them the numbers, or something equally shady. They are abusing the PayPal software in order to get people to call the fake phone number.
I’m tempted to call the number just to see what the scam is, but I probably won’t. That kind of scam baiting is risky if you don’t know what you’re doing and best left to the pros. I may post the number in the scambaiting Reddit sub, though.
They could’ve gotten your email address from pretty much anywhere, an easy hack of a poorly secured e-mail address owned by someone that has your in their contacts is my best guess.
Pretty fascinating, @Ann_Hedonia . Good sleuthing !
More on the process (although it doesn’t explicitly say that your invoice email will come from a PayPal [dot] com domain):
There does seem to be more info about this one the Web (maybe not ‘more info,’ but some ‘reporting’ that comes to similar conclusions):
Ah, thank you @Ann_Hedonia and @DavidNRockies ! Enlightenment is creeping in. The Engadget article is startling, and not in a good way. Amazing how tenuous the protections are in a giant organization like PayPal.