We've written extensively about the tremendous wave of attacks that are being originated from PayPal.

This doesn’t mean that PayPal is being hacked. Rather, hackers are using the ability to send emails from PayPal to deliver phishing messages. 

PayPal makes it easy to send legitimate messages via their platform, such as invoices, billing reminders and more. It’s easy and anyone can do it.

Hackers are now doing the same thing and it is increasing in volume. In fact, over the last few weeks, we’ve seen nearly 25,000 of these PayPal attacks. This variation is particularly focused on taking advantage of people’s goodwill.

In this attack brief, researchers at Avanan, a Check Point Software company, will discuss how threat actors are hoping to steal money that end-users think is headed to a fundraiser for firefighters.


In this attack, hackers are creating legitimate PayPal invoices to solicit fake donations. 

  • Vector: Email
  • Type: Fake Donation
  • Techniques:BEC 3.0, Social Engineering, Brand Impersonation
  • Target: Any end-user

Email Example #1


In this email, hackers are sending a message directly from PayPal. The email is reminding the user of a donation to the Louisville Professional Firefighters Association.

A few things to note up front: like many of these attacks that we’ve discussed, the email legitimately comes from PayPal. That means it will pass all sender checks. The links are legitimate since it leads directly to PayPal.

Here’s where you can identify, however, that something is amiss.

The Louisville Professional Firefighters Association? Not what you think it is. There is a Louisville Professional Firefighters Union, but that’s a separate thing. In fact, there are Reddit threads dedicated to the issue of the Louisville Professional Firefighters Association.

The second clue is the phone number. Google the phone number–it doesn't go anywhere. 502 is the Louisville area code, but the number is not associated with a legitimate business and not associated with the Louisville Professional Firefighters Union. 

With these attacks, the phone number can be a real tip-off. Doing a quick Google search of it will tell you it’s not legitimate. 


Hackers are exploiting the ability to send malicious messages directly from PayPal.

Again, the messages themselves are not malicious. But the invoice is either fake or, in this case, there’s a phone number associated with a scam.

These attacks are incredibly challenging for security services and users to stop. For one, the sender is legitimate. The links are legitimate. Natural language processing won’t be much help. 

One way to catch these attacks is to take a look at the phone number. The phone number is used by hackers to actually take the money. Plus, if you call it, they now have your phone number, and can use it for future attacks via text or WhatsApp. By doing what we call phone number baselining, we can understand when the number is legitimate or not.

In this case, the number is not legitimate and this is an unfortunate scam that hopes to take advantage of people’s goodwill to help local firefighters. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Google any phone number before engaging to make sure it’s legitimate
  • Google the name of any organization asking for donations