Jason Evangelho πŸ§πŸŽ’Aug 15, 2025

There's a really disturbing #Paypal #phishing scam happening right now. Obviously this reads like a typical phishing attempt (bad grammar, a malformed phone number to call, etc), but the official Paypal email wasn't spoofed. It came from PayPal's email infrastructure.

Examining the headers shows that SPF, DKIM, and DMARC all pass. If you have a Paypal account, please exercise caution. Don't click links in these emails. Forward them to [email protected].

Please boost for visibility.

Show threadDr. Dek πŸ‘¨β€πŸš€πŸ§πŸš€ )Aug 15, 2025

@killyourfm "ready to get coding" at the bottom is extremely interesting.

They are probably exploiting some invite developer system. The same way scammers were using Google calendar invites and google drive file share to send spam and scam messages.

And that's why it would come from a paypal official mail server.

Show threadXenoPhage Aug 15, 2025
@portaloffreedom @killyourfm Came here to say the same thing. I wonder if the "store name" is that whole string including the phone number and warning about deduction from your card/bank …
Show threadEmelia/EmiAug 16, 2025
@XenoPhage @portaloffreedom @killyourfm That's exactly what it is. See the "invited you as a developer" at the end of the subject line. Unfortunately it's not a new technique (I remember reading someone's post on this exact exploit at least several months ago, possibly even longer) which means that PayPal still hasn't fixed it... (You'd think given the sheer amount of "someone put a banned word in the memo" automation they have that they could do something similar to trigger manual review of a store name...)
Show threadXenoPhage 
@becomethewaifu @portaloffreedom @killyourfm Plus the sheet length allowed as a store name.. Surely there’s a reasonable limit that can be added..
Aug 16, 2025 at 11:21pmWeb