Dear kotalik1 and others with a similar concern, TL;DR Summary: Please be aware that this particular phishing method is >highly< troublesome because the PayPal chatbot determined it to be an >>>authentic<<< email. Full details: We received a message at 13:49 (1:49PM) 01-Aug-2022. The email purports to be a “Note from Billing Department of PayPal.” It states, “There is evidence that your PayPal account has been accessed unlawfully. $1,000.00 has been debited to your account for the Walmart eGift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number[.]” We logged into our account through the app, not through any link in the email. There were no pending transactions or invoices, as we suspected - clearly indicating a phishing attempt. With knowledge that this was fraudulent, we made three phone calls to the number provided in the email, each from a different number. A person answered each of the three calls on the first ring. One answered, “PayPal Fraud Services.” The other two answered, “PayPal, how can I help you?” Their voices, we decided subjectively, were each different, two male, one female, and all three spoke in a way most customary to native English speakers from the Indo-subcontinent. There were discernible voices heard in the background. We began two of the calls by saying, “Good afternoon. Are you able to confirm that I’m speaking to a representative or agent authorized to conduct business for PayPal?” Both calls were immediately terminated. We did not hang-up; therefore, we assume the person who answered did. We began the third call by saying, “I just got an email about a transaction” and were then interrupted by the person who answered asking, “Yes, yes. What user name do you have?” In response, we said, “Give me a moment to find that. What’s your name?” The call, like the others, was terminated. We noticed that >unlike< other phishing emails, the sender’s email address is [removed]. It’s not an email address masked as a PayPal address. It is, in fact, the authentic PayPal(dot)com domain. We opened a chat window to report it, just as we have done with other fraudulent and suspicious emails, texts, and phone calls. The chatbot requested a plaintext copy of the email. Again, this is normal behavior. Upon sending it, the chatbot responded with this message. “Good news! I was able to confirm that the email your received was sent from PayPal.” The bot seems to be designed to isolate the sender’s address, extract the domain, and determine if that domain belongs to PayPal. Bots are codelettes, designed with simplicity in mind. A more robust authentication, such as querying all of PayPal’s mail servers or performing a lookup in the user’s account for a matching email would require more than a few lines of code, burden the system resources, and return a less-than-instant response to the end user. Understanding >how< this phishing email duped the chatbot into validating it is easy. What’s exceedingly perplexing is the ability to post an email to the SMTP servers at PayPal. The alternative possibility is even more troubling. That would be the commandeering of the actual user, [removed] domain. It has been about 2 hour 30 minutes without a response since we escalated our concern by requesting contact from a non-bot agent. We will update this post with additional information if so provided by PayPal. All the best!
