Here's how easy it is for scammers to use PayPal to trick you

BY KERRY TOMLINSON, AMPERE NEWS

Cyber crooks have found an easy way to make fake PayPal invoices to send to you, with the goal of stealing your money and taking over your computer.

Here's how they do it.

Watch here:

Setting the trap

Behind the screen, cyber thieves are sniffing around for tools to use on you.

This one is a perfect match. With a few clicks, they can send you a real PayPal invoice to loot your money. We ran our own test to see how easy it is for attackers to use.

After creating a PayPal account, the under-dwellers simply click 'create an invoice.' They can add a logo to make it look professional, then type in your email address.

Add in the fake product, the lure, such as a large screen TV or a laptop, something that comes at a relatively high price. They can include a message to the customer and a return policy to make it look even more realistic, then hit 'send.'

The trap is set.

Taking a bite

You get the invoice, right in your inbox. You may open it and see a real PayPal invoice, a very professional document with the PayPal logo.

You might check the sender's email address. But it comes from a real PayPal address, service@paypal.com. That official address makes the message look more legitimate and helps it get past email filters trying to block spam and scams.

You might go a step further and check a second email address listed at the top of the email. In this case, the second address would be the owner of the account, not a PayPal address. But many people don't check.

If you click on 'pay invoice,' it will take you to your real PayPal account, if you have one, and the invoice will show up there, adding to the authenticity. You can click to pay right there in your account.

No need to pay

But thieves aren't trying to convince you to pay through PayPal. They're counting on you saying no and turning to the seller to stop this transaction.

In our demo, the seller's message says if you're not satisfied, please contact them within 48 hours for return and refund options, with a phone number and web site for easy cancellation.

You call or click for customer service, but you end not with a real company, but with the thieves, playing right into their hands.

They'll ask for your credit card number, your PayPal password, or trick you into downloading malware onto your computer. That could allow them to transfer money out of your bank account without you knowing.

This scam can work whether or not you have a PayPal account. All the crooks need is for you to believe you’re being charged for something that you don’t want.

Handy Tool

Cyber attackers are making good use of these free, authentic invoices, according to reports from cybersecurity companies and people who have received the messages.

It may not be a free-for-all, however. When we tried to include a fake PayPal website address in our invoice, PayPal’s automated system would not allow us to create the invoice. But it did allow us to use other sites that do not exist and to try a numbe rof different site addresses until we found one that worked. All in all, a quick and easy process.

Attackers also simulate PayPal invoices without going through PayPal itself. Those emails may be easier to spot because the sender's email is not a PayPal address.

What can you do?

Pay attention to the warning notices. At the bottom of the invoice, PayPal tells you to make sure you recognize the purchase and and if you don't, don't pay it, report it.

PayPal provided us with these tips:

Don't call the number in the customer message if you get an odd invoice.
Don't click on the link, reply or download any attachments.
Instead, log into your account separately and look up the company info in the invoice separately.
Forward the suspicious email to phishing@paypal.com, then delete it.