11.02.2025 - Criminals are using an interesting scam to lure unsuspecting victims into calling a fake PayPal number. All they need is a PayPal account and a free service provided by Microsoft.
With a little experience, scam messages are often relatively easy to spot. You can tell that the sender address is fake by looking at it closely. In some cases, scammers will register their own domains that look similar to the domain of the company they claim to be. This is also easy to spot.
Is it a scam or not?
However, there is a feature in PayPal that makes it possible for scammers to get around this problem. In addition, they use Microsoft mailing lists to forward their phishing messages to a large number of people. Victims targeted by this type of scam receive legitimate-looking emails that come from PayPal and contain links to the PayPal server. There is nothing to indicate that it is a scam message – and yet it is a scam. How is this possible?
Mailing lists
Microsoft allows you to register temporary subdomains for free. Naturally, this appeals to scammers. They create mailing lists on these subdomains for all the email addresses to which they want to forward their phishing emails.
Example mailing list address:
«mylist@example.onmicrosoft.com»
Example emails included in the mailing list:
«user1@example.com» and «user2@example.com»
How it works: when the scammers send a message to the «mylist@example.onmicrosoft.com» mailing list, Microsoft automatically forwards the message to «user1@example.com» and «user2@example.com». Microsoft adjusts the security features so that the message does not trigger the recipients’ filters – everything appears to be fine.
The PayPal transaction
In a second step, the scammers set up a PayPal account. From this account, they send a request for money or a money transfer message that includes text saying that if anything is unclear, the recipient should call the phone number provided. What the victims don't know is that the number is not, in fact, PayPal's. It belongs to the scammers.
PayPal does not allow mass messaging – you can only send one message per transaction. To get around this, the scammers send their scam message to their own Microsoft mailing list address, which they have set up specifically for this purpose. So the PayPal message is sent to the Microsoft address, which then forwards it to all the addresses on the mailing list.
The scam
Everyone whose email address is on the mailing list receives the same message from PayPal saying that a transaction is pending and that there may be a problem with it. The scammers' goal is to get their targets to call the bogus support number provided. This is known as a call-back scam.
Victims who call the fake support number are usually told by the scammers that they have been contacted because they have been the target of a (different) fraud attempt or because a transaction could not be processed correctly. The scammers can then proceed in a number of ways:
- They may claim that an erroneous transfer (which does not actually exist) needs to be refunded;
- In other cases, the scammers' aim is to get the victim to give them remote access to their device. The scammers can then install malware or access their victim's e-banking accounts;
- In other cases, scammers use voice phishing to trick victims into revealing passwords or credit card information.
Recommendations
- Ask yourself if the request or transfer seems plausible. Do you know the person/company or are you expecting such a transaction? The recipient's address is a good indicator: if you are not the direct recipient of the message, be extremely cautious. A plausible request for money or a transfer would be sent directly to you, not to some Microsoft address you don’t know;
- If you are a PayPal customer and you get a suspicious email, you can log in to PayPal directly (not via the link provided in the suspicious email!) to see all open transactions;
- Only call PayPal using the official phone number on their website;
- Never give out personal details, passwords or credit card information over the phone;
- Do not install any software on the instructions of anyone claiming to be a support staff member.
Current statistics
Last week's reports by category:
Last modification 11.02.2025
