Exploring phishing emails from PayPal: Avanan Report


PayPal is known to be one of the world’s most foremost global digital payment platforms. It was a clear disappointment to many when PayPal announced that they would suspend all domestic and incoming international transaction operations for individual accounts in India on 1st April 2021. This means users are not able to top up their PayPal balance, rendering PayPal wallets defunct in India, except for online shopping. However, according to Statistica portal, PayPal usage during online shopping in India reached almost 50% as of March 2022, ensuring that they still have a role to play.

Check Point company, Avanan recently found that hackers are continuing to use phishing emails to get into customers’ inbox: through creating fake invoices in PayPal and using the legitimacy of the site to get into the inbox.

Starting in June 2022, Avanan researchers have seen hackers use PayPal to send malicious invoices and request payments. The hackers send the email from PayPal’s domain, using a free PayPal account that they have signed up for, with the email body spoofing brands like Norton. In this attack brief, Avanan will analyze how hackers are leveraging legitimate and popular websites to get into inboxes and steal credentials and money.


In this attack, hackers are creating accounts in PayPal, and then sending malicious invoices and requests for payments directly from the service.

  • Vector: Email
  • Type: Credential Harvesting
  • Techniques: Double Spear, Brand Impersonation
  • Target: Any end-user


In this attack, threat actors are using the legitimacy of PayPal to get into the inbox.

Email Example #1


In this attack, hackers are creating accounts in PayPal. Then they are using PayPal’s features to create an invoice. In this video, you can see how the hackers are editing the business name, placing fake telephone numbers, and showing the fake Norton invoice. From there, hackers can send the invoice to multiple users at once.


Hackers are using a combination of social engineering and legitimate domains to extract money and credentials from end-users. We’ve seen this with QuickBooks most recently, and now with PayPal. This can be done on any site that’s trusted and used regularly by end-users. PayPal and QuickBooks are particularly clever since they are often used for business invoices. The scam works since static Allow Lists “allow” content from these sites directly from the inbox. It’s a way of condensing the Internet for security scanners. You can’t block the whole Internet; so you try to figure out what you know is good. Trusted websites like PayPal often make the cut, even if it is an oft impersonated brand. What makes this attack scary is that the phishing invoices are created and sent through PayPal. That makes it more legitimate to the security service and to the end-user.

For hackers, this process couldn’t be easier. They use PayPal’s domain to get into the inbox. They use classic social engineering tactics to send an invoice notice and get the user to take action. This attack works because of what hackers on the dark web call a double spear:

  • Make the user call the listed telephone number
  • Make the user pay the invoice

Not only do they have your email, but they also have your phone number, which can be used for future attacks. And, of course, they have your money.

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Before calling an unfamiliar service, Google the number and check your accounts to see if there were, in fact, any charges
  • Implement advanced security that looks at more than one indicator to determine in an email is clean or not
  • Encourage users to ask IT if they are unsure about the legitimacy of an email



Please enter your comment!
Please enter your name here