Lakewood Residents Report Getting Fake PayPal Invoices; Did You Get One Too? | Ron Benvenisti

Scammers are using invoices and actually sending them through!!!

Basically, the idea is to trick the recipients into calling the number shown to dispute a pending charge. (See pic below). These emails actually do come from and include a link at that displays the actual invoice for the supposed transaction.

Typically, the invoice will say that the user’s account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

A copy of the phishing e-mail message notifying the user of the invoice.

Note the red outlined user name – if this was real it would have your actual PayPal username. The phone number outlined is from a known scammer call center whose caller ID is “National Grid”. When you see this name on your caller ID, don’t answer the call and block it.

Also, the email headers in the phishing message (See bottom of article) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal, indicating it was sent from a hijacked PayPal user account. Both the email and the invoice state that “there is evidence that your PayPal account has been accessed unlawfully.” This is meant to get your attention. Likely it is someone else’s account that was hacked. (That is not to say yours wasn’t.) To prevent this turn on Multi Factor Authentication in your account (more on that in my next article). The message continues:

“$600.00 has been debited to your account for the Walmart Gift Card purchase. This transaction will appear in the automatically deducted amount on PayPal activity after 24 hours. If you suspect you did not make this transaction, immediately contact us at the toll-free number….”

Here’s the invoice that popped up when the “View and Pay Invoice” button was clicked: (Don’t try this at home if you don’t have the protections I have – which most likely you do not – and don’t call the number) This is what you will see when you click on the “View and Pay” button. in your account.

The phishing message in the invoice is a bit grammatically incorrect (though better than most), the obvious misspelling of “dprt” is a tip-off, although barely noticeable. Having said that, there are many convincing aspects of this hybrid scam. For starters, all of the links in the email lead to Hovering over the “View and Pay Invoice” button shows the button indeed wants to load an actual link at, and clicking that link indeed brings up an active invoice at

The phony PayPal invoice, which was sent and hosted by Note the red box shows “PayPal User” and misspelled fake email – “[email protected]”. This should show your PayPal user ID and email address.

Aside from the many readers who have sent me copies. This is just one that was forwarded to me by a TLS reader. I don’t recommend logging into your PayPal account, but if you do, you will find no signs of the invoice in question.

There is no invoice in your account! They want you to call the bogus “customer service” number and follow the instructions. 

The email itself is not going to cause any harm but following the instructions given over the phone by going to that link will brick your computer with ransomware.

If you call the toll-free number listed in the invoice someone will answer the phone saying “customer service.” They don’t even try to spoof PayPal or Walmart. Just “customer service.” Almost immediately the person tells you to go globalquicksupport[.]com to download a remote administration tool which will take over your computer. Need I say more?

From the feedback I’m getting, this scam is fooling a tremendous amount of people, since both the email and invoice are sent through PayPal’s systems which guarantees that the message will be successfully delivered. The invoices also appear to have been sent from a compromised or fraudulent PayPal Business account, which allows users to send invoices like the one shown above that looks completely legit.

Once the reader notified me of the scam, I forwarded it to PayPal at ([email protected]). I suggest you do the same.

PayPal said in a written statement that phishing attempts are common and can take many forms.

“We have a zero-tolerance policy on our platform for attempted fraudulent activity, and our teams work tirelessly to protect our customers,” PayPal said. “We are aware of this well-known phishing scam and have put additional controls in place to mitigate this specific incident. Nonetheless, we encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam.”

In my next article I will show you how to prevent your login and password from getting hijacked so you’re not the one sending out fake invoices or anything else, without your knowledge.

For any coders reading this, here is some of the email header which is totally legit: (scroll down to see the highlighted text)

Delivered-To: redacted

Received: by 2002:a05:6512:200a:0:0:0:0 with SMTP id a10csp1224595lfb;

Fri, 19 Aug 2022 10:36:41 -0500 (EDT)

X-Google-Smtp-Source: AA6agR6sKdnBgXCTyPRdhqx+


X-Received: by 2002:a17:90b:1241:b0:1f3:1d9f:a933 with SMTP id


Fri, 19 Aug 2022 10:36:41 -0500 (EDT)

ARC-Seal: i=1; a=rsa-sha256; t=1660746296; cv=none;; s=arc-20160816;










ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arc-20160816;













ARC-Authentication-Results: i=1;;

dkim=pass [email protected] header.s=pp-dkim1


spf=pass ( domain of [email protected] designates as permitted sender) [email protected];

dmarc=pass (p=REJECT sp=REJECT dis=NONE)

Return-Path: [email protected]

Received: from ( [])

by with ESMTPS id



for <redacted>

(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256


Fri, 19 Aug, 2022 10:36:41 -0500 (EDT)

Received-SPF: pass ( domain of [email protected]

designates as permitted sender) client-ip=;


dkim=pass [email protected] header.s=pp-dkim1


spf=pass ( domain of [email protected] designates as permitted sender) [email protected];

dmarc=pass (p=REJECT sp=REJECT dis=NONE)

DKIM-Signature: v=1; a=rsa-sha256;; s=pp-dkim1;

(Etc., ………………………….)

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.


  1. yes. I recently got such a phony email and immediately reported it back to PayPal. One red flag was that the email itself wrote that’s Paypal will always use the account holders name in any address and the email was to addressed to PayPal User . So it seems as if the scammer was either careless or did not read English.

  2. Thank you for this! I saw them. Got worried. Glad my hunch that it was a scam is correct! They are definitely getting more advanced as time goes on!

Comments are closed.