I got a rather odd invoice via PayPal the other day, it looks like this:
Naturally the first thing I did was to look for spoof email indicators, but none of the usual suspects were showing up:
- It was from firstname.lastname@example.org
- The mail headers were legit
- The “View and Pay Invoice” button linked directly to https://www.paypal.com/
Which all struck me as quite odd so I tweeted it out. I suggested that it was spam because that’s exactly what it looks like; whoever owns the email address email@example.com is soliciting visits to skrylcomputers.com and certainly on that page, the logo is consistent with the one in the PayPal email. I subsequently had a very awkward to-and-fro via DM with PayPal:
@AskPayPal: Please send us a DM so we can discuss further
@troyhunt: Here is a DM!
@AskPayPal: Can you confirm what email address you received the email from?
@troyhunt: Yes, it came from firstname.lastname@example.org
@AskPayPal: Do you have an email address for the person invoicing you $0?
@troyhunt: Yes, the one in the screen grab!
@AskPayPal: There is no email address in the screen grab
@troyhunt: Yes there is, here’s a massively zoomed in pic for you
@AskPayPal: I recommend deleting that tweet, it has your personal info
@troyhunt: It has my email address – I get email by sharing it with people who might want to send me email!
And then they said something along the lines of never having seen this before and they’d review it. And then that is all. Well that was all from PayPal, I did have some follow-ups via Twitter:
Looks exactly the same! And another response:
So in short, without any feedback from PayPal or other evidence to the contrary, it looks like they’re serving as the delivery mechanism for spam which, of course, won’t be flagged as spam because it’s a “legitimate” email from them. The message in the “invoice” is quite clearly just that – spam – and this is almost certainly an abuse of the PayPal invoicing system.
I assume that there’s either no cost to the sender for a $0 invoice or it’s low enough to justify the upside of the spam. This is one they certainly should get on top of though and allow me to make a suggestion: The same account sending out volumes of $0 invoices is probably something that should raise a red flag!