I have been warning you about phony invoice phishing scams for many years.  Generally how they work is that you receive an email that purports to be from a company with which you do business such as Netflix.  The email contains an invoice for charge you obviously did not incur.  It is understandable that people receiving such an invoice would respond by disputing the charges.  The emails usually contain either links or a phone number for you to use to contact the company to dispute the charge, however, in the more common versions of this scam, you will be lured into providing your account information or personal information that can be used to make you a victim of identity theft.

Sometimes your spam filter will actually recognize that this is a scam email and send it to your spam file.  Sometimes the email address of the sender has nothing to do with the particular company that the email purports to be from making it easy to recognize as a scam.  In many instances the email address is that of someone whose email account has been hacked and made a part of a botnet of zombie computers used to send out such emails in great numbers.

However, recently we have seen a particularly insidious and new phony invoice phishing scam.  The email that you receive not only purports to be from PayPal, but the email address of the sender is that of a real PayPal account which either came from a phony PayPal account opened by the scammer or from a legitimate PayPal account that had been hacked.  Either way, the email address of the sender appears to be quite legitimate.  If you respond to the email by calling the customer service number contained in the email, you will be prompted to download a remote administration tool which will enable the scammer to take control over your computer and everything in it including all of your online accounts including online bank accounts.


A good starting point for protecting yourself from sophisticated phishing emails such as this is to recognize that whenever you get an email, text message or phone call, you can never be sure who is actually contacting you.  Consequently you should never click on a link or provide personal information in response to such communications.  If you think that the communication might be legitimate, you should contact the company online or on the phone independently using an email address or a phone number that you have confirmed is legitimate.  Don’t use the phone number or email address or link contained in the phishing email.

Secondly, as additional protection, you should use dual factor authentication for all of your accounts so that even if someone is able to steal your username and password, they will not be able to access your account.

In regard to PayPal specifically, here is a link that you can use with information about how to contact them with any questions you may have.  https://www.paypal.com/ca/smarthelp/contact-us

If you are not a subscriber to Scamicide.com and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of http://www.scamicide.com and type in your email address on the tab that states “Sign up for this blog.”