PayPal, the American Fintech giant, has recently been subjected to a sophisticated fake invoice alert attack orchestrated by cybercriminals. This incident comes shortly after PayPal announced a strategic partnership with OpenAI to integrate payment and commerce functionalities directly into the ChatGPT platform by 2026. Security experts at KnowBe4, as cited in a Forbes report, revealed that these cybercriminals are employing a variant of a Telephone-Oriented Attack Delivery (TOAD) to target PayPal users with fraudulent invoices.

The modus operandi of the scam involves perpetrators sending an invoice or money request through a seemingly genuine PayPal email address, though some instances have shown emails originating from random Gmail accounts. The invoices typically list products or services that the user never ordered, serving as a primary red flag. These fraudulent communications often feature a phone number for users to call if they wish to dispute the charge, intending to connect victims directly with fraudsters rather than legitimate PayPal support. Security analysts at KnowBe4 explicitly warned, “You receive an email from a real PayPal email address which contains an invoice for a large purchase you did not make, and a phone number for you to call if you want to dispute the charge.”

A TOAD threat characteristically includes a PDF invoice or another official-looking document, coupled with messaging designed to create urgency and fear of financial loss. The ultimate goal is to persuade victims to call an adversary-controlled phone number. What makes this particular attack concerning, as highlighted by KnowBe4, is the use of genuine PayPal account emails for sending the invoices. While the email's sender address is authentic, the invoice itself is a scam meticulously orchestrated by cybercriminals aiming to illicitly obtain sensitive information such as credit card details, PayPal account credentials, or direct cash payments. Malware intelligence researcher Pieter Arntz from Malwarebytes, who also received one of these scam emails, noted that the email body was often blank, containing only the invoice as an attachment. He also observed that these emails were frequently sent to a blind carbon copy (BCC) list, reaching hundreds of recipients simultaneously—practices uncharacteristic of legitimate PayPal communications.

In response to the escalating fraudulent activity, PayPal has issued a public warning advising users to “Do not pay, Do not Phone.” The company urged anyone receiving an unexpected or suspicious invoice or payment request, regardless of whether it appears to be from PayPal or another service, to neither pay it nor respond to it. PayPal affirmed its commitment to protecting customers by actively responding to the continuous evolution of scamming tactics. This includes implementing measures such as manual investigations, deploying advanced technology to prevent fraud, and taking proactive steps like limiting scam accounts and declining risky transactions. The company emphasized, “We do not tolerate fraudulent activity on our platform, and our teams work tirelessly to protect our customers. We are aware of this phishing scam and encourage people to always be vigilant online and mindful of unexpected messages.”

To help customers protect themselves, PayPal has provided crucial tips. Users are advised to report any unwarranted invoices or money requests by logging into their account via the web or the official app. For suspicious emails or websites, users can forward them to [email protected] and subsequently delete them from their inboxes. Key recommendations include: never paying suspicious invoices; never calling any phone numbers listed in the invoice note; avoiding clicking any links or opening suspicious URLs within such emails; and never sending money to a cryptocurrency wallet mentioned in an invoice or money request. These guidelines aim to prevent users from falling victim to scams that exploit fear and urgency to trick them into divulging personal and financial details.