Without giving it a second thought, you might think that an such as the following is an example of a phishing attempt.
Subject: ‘Invoice from Help those affected by the California Wildfires.’
Message: ‘Help those affected by the California Wildfires sent you an invoice for $35.00 USD.’
Button: ‘View and Pay Invoice.’
Surely a scam, right?
Anyone else got a $35 invoice from @WHO on your @PayPal ? Why am I being force billed ? pic.twitter.com/066TD5D5fk
— Samir (@SamirDiwan) August 30, 2020
Believe it or not, PayPal is actually responsible for this email and if you log into your account and check your PayPal dashboard, you will actually find an invoice waiting for you to pay. If you look closer you will see that the payment is pending, even if you didn’t click that button.
A search on Twitter and user forums shows that this is happening to a lot of PayPal users right now. And this isn’t even something new. The requesting payment is not always DirectRelief. Other companies like the World Health Organization and GoDaddy are also popular to impersonate. The general email template, though, is very consistent.
.@AskPayPal PayPal doesn’t seem to have a reporting pathway for real invoices from fraudulent accounts. There’s a dodgy California Wildfires one going around with deliberate text obfuscation. Stay frosty, folks. pic.twitter.com/3Dwb6LKeLS
— Bill Eager (@beager) August 30, 2020
According to Engadget, PayPal acknowledged the scams. The payment company stayed, ‘We are aware of this and believe it to be a common scheme leveraging a brand name. We take every instance of potential fraudulent schemes seriously, have worked to remove the incorrect invoices, and ensure our customer’s information is secure. In addition to employing a range of sophisticated proactive detection and mitigation methods, if a situation does occur we’ll take swift action to protect our customer’s accounts.’
On Paypal, anyone can invoice anyone else. So, you may not be able to prevent this issue, but you can definitely react to it. You should, of course, dispute the transaction using PayPal tools. PayPal, with all of its hundreds of billions of dollars in the bank, doesn’t seem to be able to afford a 24/7 customer service center. Worse still, its resolution center absent in the mobile app, forcing users to access it on the PayPal website.
Another annoyance is that you will have to wait for the transaction to go from ‘pending’ to ‘complete’ before you even have the option to report it. PayPal is clearly in a situation where their systems, and by extention, their users are left velnerable.