There's a really disturbing #Paypal #phishing scam happening right now. Obviously this reads like a typical phishing attempt (bad grammar, a malformed phone number to call, etc), but the official Paypal email wasn't spoofed. It came from PayPal's email infrastructure.
Examining the headers shows that SPF, DKIM, and DMARC all pass. If you have a Paypal account, please exercise caution. Don't click links in these emails. Forward them to [email protected].
Please boost for visibility.
@freaktechnik @killyourfm Almost makes you wonder if you could chose a username that would break havoc on their database. But then again, that would be their damage - not their customers'.
This approach supposedly is well known since a while, can't believe they don't want to implement some kind of sanity check - I mean this mouthful of a "username" ticks a ton of boxes.
@killyourfm "ready to get coding" at the bottom is extremely interesting.
They are probably exploiting some invite developer system. The same way scammers were using Google calendar invites and google drive file share to send spam and scam messages.
And that's why it would come from a paypal official mail server.
And that's all they need. According to statistics, spam accounts for 45~73% of all email traffic as of 2025, with about ~14.5+ billion spam mail sent a day.
If we assume that only 1% are actually opened, and that of those opened, only 1% of those 1% are fallen for, that's still 1.45 million spam emails being fallen for a day. Thats 10.15 million a week, 43.5 million a month, or ~530 million a year. And the number is likely higher and will only continue to grow as technology advances, especially as technological literacy seems to be in decline.
These emails aren't made to target everyone, they're designed to be mass mailed in the hope that someone, even one person, clicks on them. Especially as now, spam and phishing is less about immediate theft of money and the more permanent theft of PII, Personally-Identifiable Information, that is to be sold on the Black Market for who knows how much.
And once you fall for even one, you're more likely to be targeted as they know you previously fell for one. And this doesn't even take into account Spear Phishing, which is more a social engineering attack, to craft an email designed to specifically target an individual or entity (such as a corporation or institution)
Data Source: https://againstdata.com/blog/email-spam-statistics
@killyourfm This has been going on for a while, and it generally involves Paypal business accounts that have been hijacked. They allow the ability to send invoices, which is basically what these messages are because they come through paypal.com.
https://krebsonsecurity.com/2022/08/paypal-phishing-scam-uses-invoices-sent-via-paypal/
@briankrebs @killyourfm this one is a developer invitation, but it seems those are also limited to business accounts (or I couldn't find the button to invite people to my test app in the PayPal sandbox UI).
But it's quite pathetic that PayPal still can't solve this issue after knowing about it for years
@killyourfm I've gotten scam attempts sent as actual PayPal money requests, but with the "message" making it sound like something other than a "money request". Just blindly sent to tons of email addresses at once.
For the longest time, PayPal had no way to delete these from your "inbox"! Even after the offending account was deleted as fraud, the "money request" still appeared in my inbox. (I had dozens of them.)
I just cancelled my PayPal account.
They asked for the reason, and I was tempted to answer "Peter Thiel and Elon Musk", but why should I treat them with any information at all.
@killyourfm
It's all just data and you can take data.
All you need is to take the header of a legit PayPal mail, and stick your own body to it and you're golden.
@killyourfm
> There's a really disturbing # Paypal
... I think this can be reducetd to half of the first sentence.
Looks like it's sending you an invite to access a dev API. The message looks to be inserted in the username field. I wonder if this a real (i.e. using legit PP infrastructure for its intended purpose) email sent by an attacker who entered the message as a user handle & invited you as a developer to some sort of PP enterprise API project they control.
@killyourfm Putting phishing scams in legitimate fields of a legitimate service is... well, let's just say I've spent more than a little of my time chasing people like this. It gnawed the hell out of our deliverability when scammers and spammers started to get this clever: scam stuffed into usernames, scam in the agreement names, scam in the PDF, scam basically anywhere users are allowed to fill out a field.
I ran a lot of relays and had to do a lot of RBL removal begging. Product didn't care to put real limits on free usersβit'd eat into the funnelβso the entire service was constantly being degraded because of phishers. It's amazing how much bare-handed manual work went into mopping up and bandaid-ing over bad product decisions that made us accomplices to scamming the public.
guntbert
Jason Evangelho π§π
Martin Giger
Hans Meier 1312
Dr. Dek π¨βππ§π )
Nick Bisby
XenoPhage 
Emelia/Emi
Raptor 
Ferrus 
Nina Kalinina
Athena L.M.
Efi (nap pet) π¦π€
BrianKrebs
SeΓ‘n Fenian
ehurtley 
Projektionsyta
Glyph
Nate Allen
webhat
Adam Faircloth
Alison Wilder
Black Wolf 
the vessel of morganna
Mei Lin 
Self-Censored Fake Girl
FDA approved 
lychee
[Yaseenist] CauseOfBSOD
Popio
inamruzui
Rob Williamson
majick
Superdave!
inpc
Martin Seeger