• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Paypal email spoof or phishing

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

ihrsetrdr

Señor Senior Member
Joined
May 17, 2005
Location
High Desert, Calif.
:unsure::bang head This morning I got a disturbing email stating that my PP account would be billed $265.79 for- Item name:BITCOIN

Dear Member,

Thank You for choosing Paypal for placing your Order BITCOIN.

Your order has been successfully placed.

The Payment will be shown within next 5 to 10 hours on PAYPAL.

PRODUCT INFORMATION

Memo Id : GNIH#255CGS

Item Name : BITCOIN

Order Placed Date : 16/O6/2022

Price : 265.79 USD

Mode of payment : Paypal

If you Wish to Cancel then please feel free to contact our Billing
Department as soon as Possible.

You can reach us on +1 (8 8 8) - (8 3 2) - (1 8 4 1)


Regards,

Paypal Billing Department

Not wanting any trouble with my money, I called Paypal in the hopes of taking preemptive action. Of course had to play their AI's silly games, then was invited to either return to the Main Menu or be disconnected. I asked for "representative" and promptly got the 'hung-up-on' tone. :bang head

I googled "Thank You for choosing Paypal for placing your Order BITCOIN" and got numerous results pointing to this being a simple spoof. I'm not sure what the point is, their was no clickable link in the email, maybe they just wanted to screw up my mood....:unsure:
 
Last edited:
Phishing/spam.

Who is the email 'from'? A full image of the email with the headers is more informational than a copy paste.:)

What's the attachment?

Curious.. did you call the number in the email or paypal?
 
Phishing/spam.

Who is the email 'from'? A full image of the email with the headers is more informational than a copy paste.:)

What's the attachment?

Curious.. did you call the number in the email or paypal?
I just noticed an attachment in my first post, not sure what that was, deleted.

I did not call the number in the email, I found PP's # off their website.

Here is a full image of the original Message,(I edited out my own email addy)... might not be readable so a copy paste follows:

edited-screeny.png





" Delivered-To: a***********[email protected]
Received: by 2002:a17:90a:e556:0:0:0:0 with SMTP id ei22csp347235pjb;
Thu, 16 Jun 2022 07:02:39 -0700 (PDT)
X-Received: by 2002:a5d:6882:0:b0:21a:2e66:b14a with SMTP id h2-20020a5d6882000000b0021a2e66b14amr4854332wru.306.1655388158674;
Thu, 16 Jun 2022 07:02:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1655388158; cv=none;
d=google.com; s=arc-20160816;
b=zkdfakWkGpFje1LYlYJ8C5nJPmYvAypdf/o7qCfcNwI/qB7pyoS06ieOK3j0wTssru
RtGpNvgVtBGUghPSWrRMudik9qO4NW8EmhDJ5DwPvhSpbxqf/FLOTSjL/qORigr8RUgd
V/0X8SFa4tyMQKkpaDgzzQCoaJhe+/AcERed18F3LUdO6R6vNYtqUTrfF0NsjTjcTVDX
pTs2NwptSLqinR+nL3O8Pc5Vte24fSWXPjoEqSSHgIElA4I99j6q3mXhpzZYQELB8wUq
JzbQeTgoEXruMHfzlefKXrxs3i/gXD9ZNYTj4RYWamQ52/llojARN79hKh1xGtIOalOs
DxFQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:subject:message-id:date:from:mime-version:dkim-signature;
bh=hlxcP11LyXPjZmjj8mMenCC7ieM8mp1qNOF9xcs9iy4=;
b=laNbWesuecJBMDVzitZplitiOp8bV6yd9C46gZJiriSpxW4AMP88QwL9PX28MZzQol
vebWedEa/AlJ6o9Ny2RDD+gZvRR35QuHuq25ABO2vvhfOj0DPDQIA1/945P+06WcjDXS
SvPeT/AR9kQx7yhTYLq2eOHeYoMZ1D2zKU8GH0KfA93hVd1TgSpkMnbB1MbieJh57r2B
DOPfMYJmyCFubGyPqKl0dFphMADJwI4KoX9LWCV0tPxKi5HHeW2lyIFP1mgFN+X9ZGNQ
KaO10eN/QWu1RpArlwQFqbQdyehjifd8KA3Wz1jiPS8umjkdxqvC0q5CGZv7RCXcuUh3
lsYA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=20210112 header.b=kmv7vgl2;
spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) smtp.mailfrom=[email protected];
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <[email protected]>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.google.com with SMTPS id d2-20020adf9b82000000b00210233d7149sor1039343wrc.16.2022.06.16.07.02.38
for <a***********[email protected]>
(Google Transport Security);
Thu, 16 Jun 2022 07:02:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=20210112 header.b=kmv7vgl2;
spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) smtp.mailfrom=[email protected];
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20210112;
h=mime-version:from:date:message-id:subject:to;
bh=hlxcP11LyXPjZmjj8mMenCC7ieM8mp1qNOF9xcs9iy4=;
b=kmv7vgl2WxEUCxUhjxoQ9Ziilu95BfRth+N9K9pptNnURDo4yUfsXPFxqR8M7nYPSl
zO3ROLNn61rZS8ZayFM72dEjvfo8RfAlYytbRggCicCwAoY0bUl/4qA1UObXcPh5hDcQ
gg33nIbjVAuFAe+k2pcYsdy6qfrrFkd2m4Mw6o8b+UaapObCyNG08aqmq1MzK+BqIxQk
VR8iWBsEY2I0GPfY4YCkAneCT+orvFsM0MTUl5jAqaT4dLhj57yc4kJnjTgalJtVQye+
f/LhSYkO7PMlEkwbY6wMQwypDZM44HkzImWTsnr4IhfyBQa+Mq5gvxF4ZyAlzTtHNZr5
FyGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=hlxcP11LyXPjZmjj8mMenCC7ieM8mp1qNOF9xcs9iy4=;
b=7UbZeKTKavfE4t9cZbxTY6F3QL7zr6W0xLePGHKUszzJVlnKmoxgtyka+DXaFeAdQD
gN630RA5Dp2f0VFl3S2JXbj+Zfy3Y5AU4REZNoJRKB5Ecfoet/iMuGwwuZGtP5R8Yu9Q
l1N6RdRgSIXh8Hevy42PVwc9lkFU5Qf2yHVMI4saVQcElZ5pVkxCYvvTJBxIFslWpquc
nyA3w35OHImiLJU74sztO1RChephXUmhsOTw6LyynQQzQr7+9P0U1CnKcymp3oDwNkva
EH9SNjdeJnYbTSWD5W56HQAIqxdzmeFsscj8ijJay8wODb6SLszLEICZdmK5QuUfoE5v
3BfQ==
X-Gm-Message-State: AJIora+siMDgBqgdYeH1lhXivwpY1OGFaDHPGX0q6CPp80L4Cz82m4QB puYeRTniGyEy6e7rMNeCVGXivB9tCablFZfXwK8IKPJzHE4zhKXdPJPHcD23
X-Google-Smtp-Source: AGRyM1u/ohAra3ui1TbvKu+pqBTUo4znp9UbI5itJQI6ArGsA8VUwSjnSC7a5KUxouTC0wafgy86VEno6LAlh3YuQYk=
X-Received: by 2002:a05:6512:159f:b0:479:40e9:2945 with SMTP id bp31-20020a056512159f00b0047940e92945mr2696883lfb.95.1655388147235; Thu, 16 Jun 2022 07:02:27 -0700 (PDT)
MIME-Version: 1.0
From: pay pal <[email protected]>
Date: Thu, 16 Jun 2022 06:25:10 -0700
Message-ID: <CAPf64s-AbLGmQH0JQqgAaR8prd5yeD2tX1Gw0vLfsx81APAZ_A@mail.gmail.com>
Subject: Thank you for your purchase
To: [email protected]
Content-Type: text/plain; charset="UTF-8"
Bcc: a***********[email protected]

Dear Member,

Thank You for choosing Paypal for placing your Order BITCOIN.

Your order has been successfully placed.

The Payment will be shown within next 5 to 10 hours on PAYPAL.

PRODUCT INFORMATION

Memo Id : GNIH#255CGS

Item Name : BITCOIN

Order Placed Date : 16/O6/2022

Price : 265.79 USD

Mode of payment : Paypal

If you Wish to Cancel then please feel free to contact our Billing
Department as soon as Possible.

You can reach us on +1 (8 8 8) - (8 3 2) - (1 8 4 1)


Regards,

Paypal Billing Department
"
 
"From: pay pal help paypalhelp######@GMAIL.COM"

PayPal isn't a Gmail.... among other things that stick out.
 
i get these all the time, something similar each time.
i've noticed legit pay pal emails have you actual name in them, scammers just say member.
also that O (oh) instead of 0 (zero) partly down the message is a pretty decent giveaway.

i wouldnt worry about it, just block it and report as spam and move on with life.

if some one is going to try and get into your pay pal account they arent going to send you an email about it.
i had that happen too, some how some one managed to try to debit my pay pal account for the exact amount i had in my linked bank account but it was denied because, one it needed confirmation from me which they never got and since it was a suspicious transaction the pay pal account got locked till i did the hoops to get it unlocked. This was about 15 years ago now though
 
Yep. Obvious is obvious. Automata made a great point... to check and keep an eye on your PayPal account.
 
Yet another spoof email today, more alleged Bitcoin purchases through PP. How weird, Gmail does a remarkable job of filtering out spam & garbage emails that when some does sneak into my Inbox it's conspicuous.

Probably just a co-incidence, but the spoof showed up around the time a couple [legitimate]automatic Paypal payments occur....
 
I'm sure if someone calls that number they will ask for account info confirmation and/or CC info. Also they get your contact information which will be needed to change account contact info once they are in. We see these type of fake emails in the financial industry all the time. Clients call them thinking its their bank and gladly give their login info.
 
If it wasn't profitable, they wouldn't do it. PayPal is an easy choice as there are 10's of millions of users. Bitcoin because everyone is talking about it. Two things that they are hoping will trick you into calling them. By having you call them, they have vetted thier "mark" to some degree. The minority of callers will just call to mess around with the phishers. The vast majority of callers will have some buy-in already as they read the email and believe that they have a problem and a number for the solution.

Social engineering.

They send out several millions of these emails in hopes that it will be coincidental enough or believable enough to get you to call. I doubt that it's any more complicated than that. They only need a very small fraction of recipients to call for them to make bank.
 
Back