Scammers Are Actively Exploiting PayPal’s “Send Money” Feature
- Fraudsters are exploiting PayPal’s “Send Money” feature and the fact that it’s so user friendly.
- Scammers can send a large number of requests to email addresses and even send reminders after a while.
- Actors could either take over existing accounts or create new ones and then ask for money through social engineering.
Wherever there is money, there are scammers, so the cases that involve crooks trying to trick PayPal users into sending them money are quite frequent. We have recently discussed cybersquatting techniques, how scammers treat simple defrauding over social media as daily jobs, and how cloned Instagram accounts can result in fraudulent money transactions.
Now, Avast has a story on abusing PayPal’s “Send Money” feature, detailing how easy and simple it could be for malicious actors to trick people into sending them money. PayPal gives users the option to send payment requests to up to 20 email addresses at once, so a scammer could abuse this for light or targeted spamming.
The recipient of the request doesn’t have to be a PayPal user, so having 20 valid email addresses would be enough. If they have a credit card, they can still make the payment to the user who requested the money, so they won’t even have to create a PayPal account to do it.
Avast’s researcher Michal Salát gave it a shot by sending requests to his colleagues to see what would happen. He wrote a message that should be an obvious giveaway of someone experimenting - but a scammer could have written something a lot more convincing and tricky, of course. The amount he asked for was set to $500, but actual actors typically ask for something in the range of $50 to $200.
So, what happens out there is that hackers take over or buy access to other people’s PayPal accounts and start sending out money requests to valid email addresses. In other cases, actors simply create new PayPal accounts and just engage in the above process. After the requests have been distributed, the crook even has the convenience of activating an automatically-generated reminder to be distributed to the recipients via email again. It’s all so convenient, and there’s no limit in place apparently, so it can go on indefinitely.
If you receive a PayPal “Send Money” request from someone, double-check it by calling that person if you know them. If not, ignore the request as it is almost certainly coming from a scammer. If you send the money, it will be very hard to convince PayPal to revert that action.
Remember, the payment of bills or taxes isn’t requested through PayPal, and if there was anything urgent to request your attention, the other party would have reached out in a more direct way.