Quick Links
I can often easily spot phishing scams, but around a month before penning this piece, I very nearly fell victim to one. It was one of the most legitimate-looking emails I’ve received, which made it even scarier. Fortunately, I acted fast to reduce the damage.
What Did the Scam Look Like?
One afternoon, I was innocently checking my Gmail inbox. Most of the messages weren’t anything to shout home about, but one in particular.
Its subject line?
“Your Invoice for $999” from an account claiming to be PayPal. According to this email, I had purchased something from eBay. For context, I’m based in Denmark, and we don’t have eBay here. I haven’t used the website for over four years when I was living in the UK.
While I’ve heard ofcommon eBay scams, this was the first time I thought someone had used my account. So, as anyone would, alarm bells started ringing in my head. Had someone stolen my payment details? If so, how did they get them?
Why Did I Almost Fall for the Scam?
While I knowthe most common phishing attacks, this scam initially felt legitimate for several reasons. First, Gmail didn’t mark it as dangerous, and it ended up in my main inbox folder. Gmail is often very good at determining when someone’s trying to scam you. Usually, I see a message like this:
Another reason why this scam attempt initially looked legitimate is because it used the same formatting as you’d expect from a PayPal invoice. I use PayPal quite frequently, and its branding is pretty familiar. To their credit (I guess), the scammer did a good job of mimicking a PayPal invoice. Clearly, someone had spent a lot of time learning how to use design software.
Thirdly, the email featured good spelling and grammar. One of theeasiest ways to spot phishing emailsis poor use of English, but that wasn’t the case this time.
Why I Realized I Was Being Scammed
I always adopt a zero-trust policy with my emails if I know I haven’t bought a product or service. Since I was on high alert, I started looking for signs of being scammed; I usually receive a notification when money goes out of my PayPal account, so I initially checked my phone. But I saw nothing, so I started digging deeper.
Secondly, I noticed no verified tick next to the email. Every PayPal email address I’ve noticed in Gmail has a blue checkmark, but that wasn’t the case with this scam email. For example, when I contacted PayPal about the issue, you can see the verified tick next to their official account:
I also realized that the email address wasn’t associated with PayPal. Although quite similar, it didn’t use an official PayPal domain.
How I Minimized the Damage
Unfortunately, there are numerousPayPal scams, and while prevention is the best option, you’ll sometimes need to enter damage limitation mode. I took some essential actions to minimize the potential impact, which I’ve listed them below.
1. I Did Not Reply to the Email
It was vital to take a step back and not do anything I may have regretted, such as responding to the email. A scammer isn’t going to admit that they’re trying to take money from you, and I would have gotten nothing from doing so.
Instead of responding to the email I received, I later sought official customer support. While I initially deleted the message, I reversed it so I could forward it to the authorities.
2. I Didn’t Hand Over Any Important Details
You’ll sometimes receive scam attempt emails that ask for sensitive information, such as your bank details. Under no circumstances should you ever give these details. No company will ask you to submit such information via email, so you’re putting yourself in needless danger.
I made sure that the scammer didn’t have access to anything important. They clearly knew my PayPal email address because otherwise, they wouldn’t have been able to send me a message. So, I changed my password. This experience also reminded me that it’s so important toenable two-factor authentication (2FA) for your PayPal account.
Besides securing my PayPal account, I also wanted to confirm that someone couldn’t access my account. My next step was to check my linked bank accounts and statements to ensure there weren’t any strange invoices. Thankfully, there weren’t.
I’ve been scammed once before, and when this happened, I immediately canceled my bank cards. Because I acted fast, the bank could also cancel the transaction. So, I adopted the same principles this time.
4. I Reported the Fake Invoice to PayPal
It would’ve been very easy to sit back and relax after confirming that I hadn’t fallen victim to a phishing scam. However, I also did not want others to experience what I had. PayPal has an email address that deals with phishing attempts, and I forwarded the fake invoice to this.
I don’t know if that did anything, but I at least did everything that I could. You can do several other things todetermine if a PayPal email is genuine or phishingbefore sending it to the company.
5. I Deleted the Email and Didn’t Click on Any Links
You should never click on links from emails that you don’t recognize, and I applied the same logic in this situation. Even if these links looked like they were from PayPal or eBay, I didn’t want to risk infecting my computer with malware.
Once I sent the invoice to PayPal, I deleted the email and blocked the sender’s address. At the very most, any future scam attempts should appear in my Spam folder rather than the main inbox.
My Advice for Anyone Who Might Fall Victim to This Scam
If you receive a phishing email, I suggest doing everything I did here. Always look for intricate details that could be red flags, such as illegitimate email addresses and no verification checkmark. Never reply to the message or click on any links, either.
You should also check your bank account and contact them so they know what’s happened. If you use eBay, I suggest contacting its customer support team to ensure nobody has bought something from your account. Moreover, you should check your purchase history.
It’s also vital that you don’t give any sensitive information to the scammer. If you want to go a step further, your email client should let you report a message as phishing.
