I was surprised yesterday when I received an email from PayPal: “You’ve got a money request”. Wut?
First thought: duh, it’s a scam. But then I checked the email address it came from: firstname.lastname@example.org. Also all of the images in the email came from paypal.com. The links in the email went to paypal.com, together with a randomized-looking, presumably unique, long string to identify yours truly. I even checked the message header: yep, it came from paypal.com.
At the bottom of the email was the usual PayPal text, including “Emails from PayPal will always contain your full name.” I looked up to the start of the email text. Ping! Nope, this one had my email address instead of my name, and furthermore, it was an email address that wasn’t linked to my PayPal account.
In other words, the scam was generated by someone with an actual PayPal account hoping that I’d be flummoxed enough to call that number to get the request cancelled, and in doing so reveal my login info to my personal PayPal account.