An email scam is abusing abusing PayPal’s "Subscriptions" billing feature to send legitimate PayPal emails that contain fake purchase notifications embedded in the Customer service URL field.
Over the past couple of months, people have reported [1, 2] receiving emails from PayPal stating, "Your automatic payment is no longer active."
The email includes a customer service URL field that was somehow modified to include a message stating that you purchased an expensive item, such as a Sony device, MacBook, or iPhone.
This text includes a domain name, a message stating that a payment of $1,300 to $1,600 was processed (the amount varies by email), and a phone number to cancel or dispute the payment. The text is filled with Unicode characters that make portions appear bold or in an unusual font, a tactic used to try and evade spam filters and keyword detection.
"http://[domain] [domain] A payment of $1346.99 has been successfully processed. For cancel and inquiries, Contact PayPal support at +1-805-500-6377," reads the customer service URL in the scam email.
PayPal subscription email used in scam
Source: BleepingComputer
While this is clearly a scam, the emails are being sent directly by PayPal from the address "[email protected]," leading people to worry their accounts may have been hacked.
Furthermore, as the emails are legitimate PayPal emails, they are bypassing security and spam filters. In the next section, we will explain how scammers send these emails.
The goal of these emails is to trick recipients into thinking their account purchased an expensive device and scare them into calling the scammer's "PayPal support" phone number.
... continue reading