Today in “Attack techniques so stupid, they can’t possibly succeed… except they do!” β we look at Invoice Scams.
PayPal allows anyone (attacker) to send anyone (victim) an invoice containing the text of the attacker’s choosing. In this attack technique, PayPal sends you an email suggesting that the attacker already has taken your money, and you should call the attacker-supplied telephone number if you have a problem with that.
Because PayPal is acting as a (clueless) accomplice in this scam, the email contains markers of legitimacy (including the “This message is from a trusted sender” notice):
If you call the attacker’s phone number, they will solicit enough information to actually rob you.
In the current version of the Microsoft Outlook web application, you can choose to report this phishing email. Because it really was PayPal that sent this phishing lure, choosing “Report and Block” will block all future email from PayPal, including any emails that aren’t scams, which may not be what you expected to happen.
Stay safe out there.
-Eric
text/plain 