My friend called me recently in a panic. It seemed that his PayPal account was hacked. He was worried that hackers would use it to pay for things and drain his bank account (via direct debit). As usual, my advice to him was to disconnect his bank and credit card that were linked to his PayPal and quickly call his bank if it was not possible.
In the early stage of any hack, there will be a lot of confusion. You may not know what is going on in the fog of war. You may even not know what hit you. In this case, contrary to what he initially believed, my friend ultimately realised that his PayPal account wasn’t hacked after all. After analysing the situation, we worked out what exactly happened. It was a scammer, not a hacker.
So, what really happened? He first received an actual invoice on PayPal:
This invoice appeared when he logged into PayPal. However, the sender of this invoice was fake. It was NOT from Kogan, a legitimate retailer in Australia. The scammer pretended to be from Kogan.
Next, look at what was circled in red in the above image. The scammer made use of the space allowed by PayPal to write his note and T&C to insert fake information that impersonates official instructions from PayPal. The phone numbers in that ‘official instruction’ from PayPal belonged to the scammer.
In his panic, my friend called the phone number, thinking that he was calling PayPal.
He asked ‘PayPal’ whether he should be changing his password. The scammer told him to wait 5 minutes because he needed time to stop the ‘hackers’ from sending him more fake invoices. The scammer told my friend that he could see ‘hundreds’ more invoices coming his way, increasing the fear in my friend’s mind.
Then the scammer, who was pretending to be PayPal, offered to ‘help’ my friend by closing his PayPal account. To do that, he needed to send him an email with a link to close his email account. But the scammer had a problem: he could not spoof PayPal’s email address. So, he lied by saying that since ‘hackers’ were intercepting his email to my friend, he could only get around that by sending that email from a Gmail account:
In hindsight, that should have been a red flag to my friend that it was a scam. When ‘PayPal’ start sending emails to you from a Gmail account, it is a clear indication that they are not from PayPal.
When my friend hovered his mouse over “Cancel Now”, he noticed it was a link to download a .exe program. When my friend told the scammer that he could not run the .exe program because he had a Mac, he could sense the profound disappointment the scammer had. The scammer hung up on him. My friend was initially surprised that PayPal would hang up on a customer. But then, he realised that it was a scam. He knew that closing a PayPal account does not require downloading and running a program on your computer.
He forwarded that email to me to take a look. I saw that “Cancel Now” was linked to a legitimate Remote Desktop application called AnyDesk. Had my friend downloaded and run that program and followed the scammer’s instructions, he would have given the scammer remote access to his computer. Since AnyDesk is legitimate software, antivirus applications will not raise any alarm. It is the misuse of legitimate software that results in harm.
Aftermath
It was very fortunate that my friend did not lose anything. His PayPal account was not hacked in the first place. But that was a close call.