Early on Sunday morning, I received the following email from PayPal:
With my initial scepticism high, I decided to investigate to see if someone had managed to spoof the domain of PayPal.com.
However, checking the DMARC and DKIM revealed that it was a genuine email from PayPal. With some further bewilderment as to why phishing emails are being sent from a genuine domain, I stumbled upon the PayPal invoicing API.
PayPal invoicing is a feature developed to ease the payment process of purchases made outside of PayPal. It allows businesses to send an email to their customer, invoicing them for the services/products that the business has provided. The problem is that scammers have worked out a way to generate a “genuine” invoice for a product that has not been purchased. This in turn, tricks PayPal into acting on the scammers’ behalf, sending phishing emails to unsuspecting users.
We have approached PayPal to add more stringent checks on who and how companies can send invoices on the platform. As of yet, we have not heard any response.
Aaron Mulgrew
Aaron works with central government departments in the UK and abroad to secure their systems, as well as working alongside critical national infrastructure providers to make sure they aren’t an easy route to compromise. With a specialism in cryptocurrency...
Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.