Cybercriminals Employ TOAD Attack Variation Against PayPal Customers
PayPal, the American Fintech company, is currently facing a fake invoice alert attack orchestrated by cybercriminals. This incident occurs shortly after PayPal announced a partnership with OpenAI aimed at integrating payments and commerce directly within the ChatGPT platform by 2026.
Security experts have identified a new wave of fraudulent activity where cybercriminals are utilizing a variation of a TOAD (Telephone-Oriented Attack Delivery) attack to target PayPal users with fake invoices. This method involves sending an invoice or money request through what appears to be a legitimate PayPal email address, or a dummy email address designed to mimic PayPal.
The fraudulent invoices typically list products or services that the recipient has never ordered, serving as a critical red flag for users to identify the scam. Security analysts have warned that recipients may receive an email from a genuine PayPal email address containing an invoice for a substantial purchase they did not make, along with a phone number to contact for disputing the charge.
A TOAD threat typically involves a PDF invoice or a similarly official-looking document. The accompanying message often employs urgency and plays on the fear of financial loss to pressure victims into calling a phone number controlled by the attackers. Reports indicate that this specific attack has been active for approximately a week.
A particularly concerning aspect of this attack, as highlighted by security researchers, is that the invoices are being sent from genuine PayPal account emails. While the email itself may appear authentic, the invoice is a fabrication designed by cybercriminals aiming to steal credit card details.
Experts caution that if a user calls the phone number provided in such an email, they will not be connected to PayPal's official support team but rather to a fraudster seeking sensitive information, including credit card details, PayPal account credentials, or direct monetary payment.
Further details reveal that the body of these scam emails is often blank, with only the invoice attached. This is another significant red flag, as PayPal typically does not send invoices or communications in this manner.
Upon opening the attachment, users are presented with a message following the standard TOAD process, such as: "Your account has been billed $823.00. The payment will be processed in the next 24 hours. Didn’t make this purchase? Contact PayPal Support right now."
One employee of a security vendor, Pieter Arntz, a malware intelligence researcher at Malwarebytes, who received such an email, noted that the messages appear to have been sent out in bulk. He also observed that some emails were not sent from a PayPal address at all but from random Gmail accounts, which is another clear indicator of a scam.
Additionally, Arntz pointed out that the emails were sent using BCC (blind carbon copy), indicating that hundreds of recipients received the message simultaneously. He reiterated that PayPal would never send an invoice in such a manner.
PayPal's Response and Customer Protection Measures
This development underscores the sophisticated methods fraudsters are employing to scam unsuspecting users. In response to the ongoing attack, PayPal issued a "Do not pay, Do not Phone" warning to the public.
The company advised that anyone receiving an unexpected or suspicious invoice or payment request, regardless of whether it appears to be from PayPal or another service, should refrain from paying it or responding to it.
PayPal stated that it is actively adapting to the evolving tactics and methods used by scammers and is implementing all necessary measures to protect its customers. These measures include manual investigations, employing technology to prevent fraud, and taking proactive steps such as limiting scam accounts and declining risky transactions.
"We do not tolerate fraudulent activity on our platform, and our teams work tirelessly to protect our customers," a PayPal spokesperson stated. "We are aware of this phishing scam and encourage people to always be vigilant online and mindful of unexpected messages."
The company urged customers to report any unwarranted invoices or money requests by logging into their account via the web or the PayPal app. To report a suspicious email or website, users can forward it to phishing@paypal.com and then delete the original email from their inbox.
PayPal's Tips for Staying Safe
In an effort to enhance customer security, PayPal has provided specific tips for users to remain vigilant and avoid falling victim to these scams. The company highlighted several ways in which invoice and money request scams can manifest:
- •Receiving an invoice or money request through PayPal for a product or service that was never ordered.
- •Receiving an invoice or money request through PayPal that contains an alarming message, possibly directing users to call a fake customer service number to obtain personal or financial details over the phone.
- •Receiving a fake invoice or money request via email that is designed to look like a genuine PayPal email. Users are strongly advised never to click on any links or call any phone numbers within a suspicious email.
As a recap, PayPal advises users: When you receive a suspicious invoice or money request, do not pay it. Do not call any phone numbers listed in the invoice note, and do not open suspicious URLs. Furthermore, never send money to a cryptocurrency wallet mentioned in an invoice or money request.