Given that we’re getting into peak retail season, you’ll be seeing cyber security warnings about “Black Friday & Cyber Monday” all over the internet.
Since cybersecurity matters 365 days a year, these online tips are not specifically limited to Black Friday, you should take cyber security serious no matter what time of year it is.
The best reason for improving your cybersecurity in the leadup to Black Friday is that it means you will be improving your cybersecurity for the rest of the year, and will encourage you to keep on improving through 2023 and beyond.
The Malicious PayPal-Branded Cyber Scam
If you have a PayPal account and are using it this time of year, you need to be aware of this common scam going around, so you can spot it before an attack happens to you.
The good thing about this scam is that you should spot it for what it is: made-up nonsense.
The bad thing about this scam is that it’s astonishingly easy for criminals to set up, and it carefully avoids sending spoofed emails or tricking you to visit bogus websites, because the crooks use a PayPal service to generate their initial contact via official PayPal servers.
Here’s how the PayPal “money request” scam works:
- The scammer creates a PayPal account and uses PayPal’s “money request” service to send you an official PayPal email asking you to send them some funds. Friends can use this service as an informal but relatively safe way of splitting expenses after a night out, asking for help paying a bill, or even to get paid for small tasks such as cleaning, gardening, pet sitting, and so on.
- The scammer makes the request look like an existing charge for a genuine product or service, though not one you actually ordered, and probably for what looks like an unlikely or unreasonable price.
- The scammer adds a contact phone number into the message, apparently offering an easy way to cancel the payment request if you think it’s a scam.
So the email actually does originate from PayPal, giving it an air of authenticity, but entices you to react by phoning the crooks back, rather than by replying to the email itself.
The crooks have simply found a way to abuse PayPal’s free Money Request service to generate emails that really do come from PayPal, that include real PayPal links, and that use the message field in the request to give you an official-looking way to contact them directly.
Of course, it’s all a pack of lies: there’s no anti-virus program; there was no purchase; and no one actually paid out anything to anyone.
Given that you are quite well aware that the payment request was never authorised by you, you should report it to PayPal.
Just like a romance scammer schmoozing you at arm’s length on a dating site, and then convincing you to switch over to messaging them directly, just so they can scam you.
What To Do About This PayPal Scam?
The quickest and easiest thing to do, of course, is nothing!
PayPal money requests are exactly what they say: a way for friends, family, someone, anyone, to invite you to send them money in a reasonably secure way.
They aren’t invoices; they aren’t payment demands; they’re not receipts; and they are unrelated to any existing purchase you did or didn’t make via PayPal or anywhere else.
If simply you do nothing, then nothing gets paid out and no one receives anything, so the scam fails.
It’s always recommend that you report bogus requests of this sort to PayPal, which will help to get the offending account closed down and to ensure that no one else either pays up through fear or calls the given phone number “just in case”.
You can visit PayPal’s Report potential fraud page for further information, or forward suspicious emails to email@example.com
Whatever you do, don’t send any money, and definitely don’t call the criminals back.
Cyber criminals true goal is to establish direct contact so they can start working you over to trick you into revealing personal information that could ultimately cost you a lot in the end.
A spoofed email is one that insists it’s from a well-known company or domain, typically by putting a believable email address in the
From: line, and by including logos, taglines or other contact details copied from the brand it’s trying to impersonate.
Remember that the name and email address shown in an email next to the word
From are actually just part of the message itself, so the sender can put almost anything they like in there, regardless of where they really sent the message from.
A spoofed website is one that copies the look and feel of the real thing, often simply by ripping off the exact web content and images from the original site to make it look as pixel-perfect as possible.
Scam sites may also try to make the domain name that you see in the address bar look at least vaguely realistic.
For example, by putting the spoofed brand at the left-hand end of the web address, so that you might see something like
paypal.com.bogus.example, in the hope that you won’t check the right-hand end of the name, which actually determines who owns the site.
Other scammers try to acquire lookalike names, for example by replacing
W (one W-for-Whisky character) with
VV (two V-for Victor characters), or by using
I (writing an upper case I-for-India character) in place of
l (a lower case L-for-Lima).
How To Spot Spoofing Tricks:
- Learning how to examine the so-called headers of an email message, which shows which server a message actually came from, rather than the server that the sender claimed they sent it from.
- Setting up an email filter that automatically scans for scamminess in both the headers and the body of every email message that anyone tries to send you.
- Browsing via a network or endpoint firewall that blocks outbound web requests to fake sites and discards inbound web replies that include risky content.
- Using a password manager that ties usernames and passwords to specific websites, and thus can’t be fooled by fake content or lookalike names.
Email scammers often go out of their way to ensure that their first contact with potential victims involves messages that really do come from genuine sites or online services, and that link to servers that really are run by those same legitimate sites.
As long as the scammers can come up with some way of maintaining contact after that initial message, they will to keep the scam going.
Should You Tell The Authorities?
Whether it’s during Black Friday season or at any other time of the year, we urge you to consider reporting scams of this sort to the relevant regulator or investigatory body in your country.
It might not feel as though you’re doing much to help, and you probably don’t have the time to report each and every one…
… but, if sufficiently many people do provide some evidence to the authorities, there is a least a chance that they will do something about it.
If no one says anything, then nothing will or can be done to better the overall global cyber security.