With my initial scepticism high, I decided to investigate to see if someone had managed to spoof the domain of PayPal.com.
However, checking the DMARC and DKIM revealed that it was a genuine email from PayPal. With some further bewilderment as to why phishing emails are being sent from a genuine domain, I stumbled upon the PayPal invoicing API.
PayPal invoicing is a feature developed to ease the payment process of purchases made outside of PayPal. It allows businesses to send an email to their customer, invoicing them for the services/products that the business has provided. The problem is that scammers have worked out a way to generate a “genuine” invoice for a product that has not been purchased. This in turn, tricks PayPal into acting on the scammers’ behalf, sending phishing emails to unsuspecting users.
We have approached PayPal to add more stringent checks on who and how companies can send invoices on the platform. As of yet, we have not heard any response.