That unexpected, unrequested email from Paypal that you may have received this week is not a Paypal phishing email. As best as anyone can tell it was an accidental email triggered by Paypal, but not a Paypal phishing email. The email starts out by thanking you for contacting Paypal customer service, and if you know that you did not contact Paypal customer service, then you are right to suspect that it is a Paypal phishing email. In fact you may be looking to report it as phishing.
However, as we explain below, in this case it’s legitimately from Paypal, which means that it was just a bonehead accident. (Of course, sometimes email that you receive that is legitimately ‘from’ Paypal is still a scam, such as the Paypal invoice scam.) Now, whether an institution that is responsible for billions of its users’ dollars should be making bonehead moves is an entirely different matter.
And the fact that there has been no “Oops, please disregard that previous email, it’s really from us so don’t worry about it being a phishing email” follow-up also seems very poor form to us. But at least you can put to rest concerns that you are being phished. This time.
So is This a Paypal Phishing Email?
Below is the accidental email that Paypal sent out. Now, the first thing to notice is that John did not contact Paypal customer service. Which is generally a pretty good indicator that an out-of-the-blue email like this from Paypal is a phishing effort. (We explain below the text of the email how we know that this email is actually from Paypal, and not a Paypal phishing email.)
Dear John,
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Thank you for contacting PayPal Customer Service.
In an effort to assist you as quickly and efficiently as possible, please direct all customer service inquires through our website.
1. Log in to your PayPal account.
2. Click on Help & Contact at the bottom of any PayPal web page.
This will give you further information on how to “Call us” or send an email via “Message Center”.
Alternatively, you can log in to your PayPal account and choose “Resolve a problem in our Resolution Center”, which will take you to PayPal’s central hub for buyer and seller resolution and limitation information. You will find information about the limitation and steps to remove it below:
Log in to your account.
Click Resolution Center. If you have a Business account, click More and then Resolution Center.
Click Go to Account Limitations.
Next to each step required to remove the limitation, click Resolve and follow the steps to provide information.
If you prefer to contact us, please log into your account and click Contact or Help at the bottom of the page.
Thanks,
PayPal
Copyright © 1999-2022 PayPal. All rights reserved.
How We Know It’s Not a Paypal Phishing Email
First, here is a screenshot of the email. There is only one link in the email, and it actually does go to the Paypal resolution center.
Of course, that alone is not proof, as there are lots of phishing emails that include legitimate links to the entity that they are spoofing, as they try to get you another way, such as calling them or replying to the email.
And that’s where the email headers and some sleuthing come in. We are not going to include the entire full set of email headers from the email here, as a lot of it is irrelevant to our discussion, but here are the relevant headers:
ppkanana-us-kana
To: “John Doe” [jdoe@example.com]
Return-Path:
Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple; d=paypal.com; i=@paypal.com; q=dns/txt; s=pp-dkim1; t=1668024870; x=1699560870; h=date:from:to:message-id:subject:mime-version; bh=jCwkQMYCG71335Pw4XdyCvI3x6viu/8koBVTGbeN428=; b=esHKWae7Q3G41Q448CTtPME1Rz0mo8xKtMvQADqcX8ed4nWwl+mfWm98 A+Jdj6lR/mosQOaXrqjxIlHeaGh9mZvgGL4vEl8knV+swmh/9RtJkVEcE Ex9o9AGX9MRv7BbXVmsvf1JqPHL0X8yiqBd3wuQzJwKE8MWHgCau3fieg LSuaMghStzKafkcz8KRj4R0JXZCqr2G7amza0Piz3txBXZ6mZVFZnTwUm O1Obc+AwyQS+Prq6gZVqPDet44/j6eI5W1TzwYf/S5lGD0lf0jJk2poFS bfjVeMrbgw2EAxN2COIJ9hdR6o/82tQ7XqUdFyoGwnJc9L7HLFLPjYBm0 A==;
[173.224.165.18:from]; R_SPF_ALLOW(-0.20)[+ip4:173.224.165.17/26:c]; R_DKIM_ALLOW(-0.20); MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MX_GOOD(-0.01)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:1449, ipnet:173.224.165.0/24, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; NEURAL_HAM(-0.00)[-1.000]; TO_DN_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00); TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]
Content-Type: multipart/alternative; boundary=”—-=_Part_75892_1074546404.1668024862824″
Delivered-To: jdoe
(envelope-from
Received: from phx11-ipout-01-data1.paypalcorp.com (phx11-ipout-01-data1.paypalcorp.com [173.224.165.18]) by example.com (8.15.2/8.15.2/Debian-22) with ESMTPS id 2A9KEOaB3582360 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for [jdoe@example.com]; Wed, 9 Nov 2022 20:14:30 GMT
Received: from phx-mcamp-s11.paypalcorp.com ([10.222.247.11]) by phx11-ipout-01-data1.paypalcorp.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 09 Nov 2022 20:14:23 +0000
Received: from phx-cesat-s02.paypalcorp.com (unknown [10.222.247.142]) by phx-mcamp-s11.paypalcorp.com with smtp (TLS: TLSv1/SSLv3,128bits,ECDHE-RSA-AES128-GCM-SHA256) id 1b28_0cf8_58df61bf_8e2c_4837_9ba1_f5c5cfc2b9a7; Wed, 09 Nov 2022 20:14:22 +0000
Received: from lvs1-kanas-007.paypalcorp.com ([10.185.255.12]) by phx-cesat-s02.paypalcorp.com with ESMTP/TLS/ECDHE-RSA-AES128-SHA; 09 Nov 2022 20:14:22 +0000
Here’s what’s important to note from the these headers:
The headers tell us that the email actually did originate from Paypal, and passed all authentication checks. What’s more, a lookup for the IP address that passed the email from Paypal to example.com (173.224.165.18) belongs to Paypal:
NetRange: 173.224.160.0 – 173.224.167.255
CIDR: 173.224.160.0/21
NetName: PAYPAL-CORP
OrgName: PayPal, Inc.
OrgId: PAYPAL
Address: 2211 N. First St.
City: San Jose
StateProv: CA
PostalCode: 95131
Country: US
RegDate: 2001-08-17
Updated: 2019-04-10
Ref: https://rdap.arin.net/registry/entity/PAYPAL
Of course, and as always, if you suspect that a Paypal email is phishing or a scam, or even if you’re just not sure, you should report it. Paypal explains how to do that for various suspect things here.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
