Scammers are setting up real accounts with payments platform PayPal to send out phishing emails that bypass security software and appear more realistic to their victims, researchers have discovered. It reflects the increasingly sophisticated tactics criminals are using to impersonate businesses and steal credentials and credit card details.

Fake invoices are being sent within PayPal with a request for payment which adapts the email body to spoof brands like Norton and then sends it from the PayPal domain so it bypasses server security checks, according to analysts from enterprise email security firm Avanan.

Invoices are sent from the PayPal domain by-passing spam filters and containing fake company phone numbers to query payment (Photo: Phawat Topaisan/iStock)
Invoices are sent from the PayPal domain bypassing spam filters and containing fake company phone numbers to query payment. (Photo: Phawat Topaisan/iStock)

Known as Static Expressway, the technique allows the hackers to leverage legitimate websites to get into the inbox, steal credentials and trick people out of money, and mirrors a similar type of phishing attack discovered last month involving accountancy software provider QuickBooks.

Avanan said in a blog post at the time of the QuickBooks discovery: “Hackers continually impersonate trusted brands to get into the inbox. By leveraging the legitimacy of a trusted domain, security solutions are more likely to view the email itself as legitimate.”

How PayPal and QuickBooks email scams operate

The goal for cybercriminals using the Static Expressway technique is to get through the email security and place the message in a user’s inbox – then have them make a phone call to the hacker’s number. It is popular with hackers because it utilises websites already on the ‘Allow Lists’ of most email services, Avanan’s researchers say.

It is known as a “double spear” attack, as criminals can steal credentials and demand payments from victims. In this campaign, the user is encouraged to call a phone number attached to the invoice, and the hackers will then try to convince them to pay the balance using social engineering techniques and manipulation, enabling credit card details to be stolen.

“This can be done on any site that’s trusted and used regularly by end-users,” said Avanan’s Jeremy Fuchs, noting that using PayPal and QuickBooks is “particularly clever since they are often used for business invoices”.

Fuchs continued: “The scam works since static Allow Lists ‘allow’ content from these sites directly from the inbox. It’s a way of condensing the internet for security scanners. You can’t block the whole internet; so you try to figure out what you know is good.”

Widely trusted websites like PayPal often go directly onto allow lists, even though less sophisticated scams using the platform are relatively common, Fuchs said. “What makes this attack scary is that the phishing invoices are created and sent through PayPal,” he added. “That makes it more legitimate to the security service and to the end-user.“

How staff can spot scam emails from PayPal and QuickBooks

The solution to this problem lies with PayPal and QuickBooks, argues Jake Moore, global cybersecurity advisor at security company ESET. Until they act, users need to verify the original addresses and phone numbers against the updated ones within the edited invoice.

Upon receiving an invoice, users should speak to the IT department about the legitimacy, Moore advises, especially if it is an invoice they weren’t expecting or one for a product they haven’t used before.

“These types of attacks are very quick and easy to carry out and even mass produce,” Moore says. “Emails generated by genuine sites immediately add a level of authenticity and this can often be all that is needed for an unbeknown victim to verify the claim.

“Due diligence is clearly the advice here but when people are understaffed or overworked, they can be forgiven for overlooking these attempts.”

Companies such as Quickbooks and PayPal must “review their processes and iron out any misleading type of invoices which could cost organisations millions,” Moore adds.

Avanan says it has informed PayPal and QuickBooks of the attack. Tech Monitor has contacted both companies for comment.

Fuchs said if you come across an unexpected invoice you should Google the number to check if it is real and check your accounts to see if there were any charges made by that company.

He added that security teams should also “implement advanced security that looks at more than one indicator to determine if an email is clean or not” and “encourage users to ask IT if they are unsure about the legitimacy of an email”.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: How AI will extend the scale and sophistication of cybercrime