Need to know
- PayPal users are receiving suspicious text messages appearing to come from an official PayPal number
- The messages try to cause panic and urge users to contact a fake call centre – a tactic commonly used by scammers
- Never call numbers or click on links included in a suspicious text message
When CHOICE member Mark McMahon received a text message from PayPal early one morning in July, it took him by surprise.
The SMS claimed he'd purchased almost $300 worth of Bitcoin. The only problem was he'd never made the transaction in the first place.
PayPal users have received suspicious texts from an official company number.
"It's a very concerning message to receive," he explained. "When I read it, I did get a bit of a sense of panic."
McMahon regularly uses PayPal to cover insurance premiums and other costs and says he's used to receiving verification codes and other legitimate texts from the company.
The Bitcoin text appeared to come from 0485 872 975 – the same number as these previous official PayPal messages.
McMahon logged onto his PayPal account to find the same message attached to a request for payment. The invoice had already been cancelled and Mark hadn't lost any money, but the intrusion had him concerned.
"It's very confronting to get a text saying the money's been issued and it's Bitcoin," he says. "It's not as if I could turn off the computer and hope that it doesn't go through."
Have you been affected by a scam or seen one you think people should know about? Contact the author.
New scam targets other PayPal users
McMahon is far from alone. Other PayPal users have reported receiving suspicious text messages asking for sensitive details appearing to come from the official PayPal number.
Adding to the confusion, they've shown CHOICE examples of these messages turning up in the same thread as legitimate messages from the company.
PayPal says it's aware of the scam, but hasn't explained why the text messages are appearing to come from a number it uses to communicate with customers.
In the examples seen by CHOICE, recipients are told they've authorised a transaction for hundreds of dollars worth of Bitcoin and are directed to contact a "support department" by calling a number included in the message.
PayPal says it's aware of the scam, but hasn't explained why the text messages are appearing to come from a number it uses to communicate with customers
The examples of the scam we've seen urge users to call numbers that aren't PayPal's official customer support line.
Directing victims to fake customer service numbers is a tactic we've previously seen criminals use to try to steal money or sensitive information.
A PayPal user who alerted CHOICE to this latest con says they called the number included in the message they received, and the person who answered told them to share their credit card and other information to cancel the Bitcoin transaction.
One person who called the number in the scam says they were asked to hand over financial information.
CHOICE attempted to call the numbers in the examples of the scam we've seen, but they were disconnected by the time we tried to make contact.
This latest scam comes after the ACCC last year raised concerns over the ability of criminals to sneak fake messages into legitimate SMS threads, warning it's making it harder for consumers to spot scams.
The federal government is promising to establish an SMS sender ID registry to make it harder for scammers to impersonate the names and numbers of trusted brands via SMS.
PayPal provides little information
PayPal says it's aware of the scam, but didn't explain how the messages are appearing to come from its number.
PayPal didn't explain to CHOICE how these messages are appearing to come from its official number and turning up in the same threads as legitimate messages it sends users.
The company also didn't outline what specific action it's taking to combat this scam, but says it's working to make sure scammers don't use its platform for fraudulent activity.
PayPal users who alerted us to the scam say the company should be doing more to prevent suspicious messages turning up in legitimate threads.
Mark says he's had mostly positive experiences using and interacting with PayPal, but would expect to hear more from the company if he kept receiving scam messages from its official number.
"I've found PayPal quite good to deal with… [but] I'd want to hear from them what was going on," he says.
CHOICE also believes PayPal could do more to safeguard its users.
"The ability of scammers to spoof texts from financial institutions like PayPal means these businesses need to do much more to protect consumers," says senior campaigns and policy advisor Alex Söderlund.
Söderlund says the sophistication of scams is outpacing consumer protections.
"That's why it's so important that businesses are subject to mandatory and enforceable obligations that provide consumers with a minimum standard of protection and support," she says.
How to avoid and report scams on PayPal
Be aware that if someone requests payment from you via PayPal, it can result in you receiving an SMS alerting you to the invoice.
If you receive an unexpected or suspicious money request, don't click on any links contained within the message. In a point especially relevant to this latest scam, it's also important you don't call any numbers that are included in suspicious messages.
On its website, PayPal lists the number of its customer service team as 02 8223 9500.
If you receive an unexpected or suspicious money request, don't click on any links contained within the message ... it's also important you don't call any numbers that are included in suspicious messages
The company will never ask you to provide personal information, such as passwords, verification codes or financial details by text or over the phone, so anyone claiming to represent PayPal who does this is a scammer.
If you believe you've given money or sensitive personal information to a criminal, follow the steps in our guide: What to do if you've been scammed.
You can report scams to Scamwatch and PayPal recommends forwarding suspicious messages to them at [email protected].
Stock images: Getty, unless otherwise stated.