Here’s a new-to-me PayPal scam called the ‘refund scam’ that takes advantage of PayPal’s invoice system to send out scam emails directly via PayPal. Here’s a quick run-though of how it works, how to spot the scam, and what to do.
Sadly, trying to get in touch with PayPal support via any means is often either very difficult or downright impossible. When I recently received one of the scam emails and tried to talk to PayPal about it this I simply ended up in an endless loop with their ‘virtual assistant’. Therefore, you’re most likely ‘on your own’ with this one, however, if you are forewarned, you’re hopefully forearmed
How the PayPal refund scam works
Firstly, you’ll receive an email from PayPal telling you that you’ve received ‘a money request’. This can purport be for any reason, the most common ones are things like software subscription renewals or gift card purchases. It’s a legitimate email from PayPal so there is nothing at first to mean you might suspect it is a scam.
In the email message, however, there will be a note informing you that money has been taken from your account. This is the part written by the scammers so will contradict the email title e.g. ‘you have a money request’ vs ‘money has been sent from your account’. At the bottom of the email there will also be a ‘pay now’ button. Goes without saying I hope – don’t click this!
The scammer has used the PayPal invoicing system to try to scare you. They will have included a phone number or link in the message that they want you to use to contact them. If you do that, they’ll attempt to get you to transfer money to them. These numbers or links – even if they look legit such as freephone numbers – are not PayPal numbers so don’t use them
What to do?
At this point – in relation to this phishing attempt at least – nothing has actually happened, no money has gone from your account, and your account is still secure. If you want to simply ignore this email, that’s fine.
Personally, I took this opportunity to log into my PayPal account and check the transactions to see if there was anything I didn’t recognise (activity link in the navigation). All looked fine.
The email received was a legitimate ‘money request’ so I clicked the option to ‘cancel’ it
As in the account all was expected and this was simply a ‘phishing’ scam so there was no need to change my password
If there are transactions, you don’t recognise that have gone from your account then you need to contact PayPal immediately (good luck with that!)
If you think your password may have been compromised, then you need to change it urgently too to something unique
Some rules of thumb
- Never give anyone your PayPal password – even on the phone
- Forward suspicious emails to email@example.com
- If you are emailed and asked to get in touch with PayPal, do it via the help section directly through their website when you’ve logged in to your account
- If you ever get a message from PayPal you’re unsure about, log into PayPal directly to check
Example scam email, more info, and useful links
Here is the email I received – looks realistic because it did indeed come from PayPal. Note the UK freephone number – this is nothing to do with PayPal, if you call it you’ll get through to the scammers (luckily the number has been deactivated now)
Here is what the ‘money request’ looked like when I logged into PayPal directly. Note there is a line through the amount as I used the ‘cancel request’ option to cancel it:
Here is the Reddit ‘auto-mod’ explaining the refund scam, along with useful links:
Refund scams usually start with a spam email about a fake transaction, although they can also be sent through SMS or any other messaging service. The message will provide you with a phone number to call if you want to cancel the transaction, and if you call the scammers will try to get you to provide credit card or banking information in order to receive your refund. Scammers have been taking advantage of Paypal’s invoice system to send out realistic scam emails through Paypal itself, here is a news article about that technique: https://krebsonsecurity.com/2022/08/paypal-phishing-scam-uses-invoices-sent-via-paypal/. Here is a Snopes article regarding the Norton variant of this scam: https://www.snopes.com/fact-check/norton-email-renewal-scam/.Reddit
Here are some other individual’s takes on this scam:
The attackers are abusing a legitimate PayPal service which allows them to send invoices to anybody. QuickBooks is having the same issue. So the emails come in from legit paypal(.)com domain – and basically the attackers can put whatever content in the overall message that they want. They have also been successful in simply getting folks to blindly pay the invoice.
They are encouraging you to call the number, which is not PayPal. It will be someone on the end pretending to be from PayPal telling you someone wants to give you money.
If you ever get a message like this, whether it’s from Paypal or Amazon or whatever, just log into the website through a browser to check.
Don’t click any links or phone the number in the email message itself, that’s how the scam works 🙂