If you are receiving invoices from PayPal, make certain it is not a hoax.

The fundamental question for hackers involved in phishing is how they get the infected email past email security protocols placed by account holders. After all, the majority of email service providers are adept at detecting and filtering spam and phishing emails.

Avanan cybersecurity researchers have discovered that some hackers have become more sophisticated. They leverage payment service providers such as PayPal to deliver phishing emails disguised as false invoices.

They execute it by setting up a bogus PayPal account and impersonating a well-known brand. This is done conveniently as making a PayPal account is simple, quick, and, most importantly, free. Then they will issue fake invoices and send payment requests directly from the service.

Calling the scammers

PayPal is always seemed to be legit. So, considering its nature email service providers have no choice except to let the email through.

The invoice will appear legitimate. It will include the brand logo, appropriate text, and a phone number for the unsuspecting recipient to call.

Unless they completely disregard the invoice. At this point, these victims have two options:

1. Pay the payment
2. Call the stated phone number

Avanan refers to this assault as a “double spear”. In some situations, the hackers will have not only the victim’s email address but also their phone number, which may be utilized for future attacks.

The researchers alerted PayPal about this scam less than two weeks ago. The payment service provider has yet to comment on the situation. As of now how they plan on resolving the issue is yet to be seen.

It is recommended that before contacting an unknown service everyone should perform a Google search on the number indicated on the invoice. They should also check the accounts to make sure whether there were any charges.

They should also utilize strict security measures on their endpoints. This will check several indicators to filter if an email is malicious or not. If you are unsure about the good intentions of an email better to contact IT support.