The PayPal logo is seen at its headquarters on Feb. 2, 2022, in San Jose, Calif. (Photo by Justin Sullivan/Getty Images)

Researchers on Thursday found another way hackers are getting into user inboxes: creating fake invoices in PayPal, and using the legitimacy of the site to get into the inbox.  

In a blog post, Avanan researchers said starting in June of this year they have seen hackers use PayPal to send malicious invoices and request payments.

Here’s what they do: The hackers send the email from PayPal’s domain, using a free PayPal account that they have signed up for, with the email body spoofing brands like Norton. The hackers then leverage legitimate and popular websites to get into inboxes and steal credentials and money.    

Obviously, Avanan has reported on a very difficult class of phishing attack to counter with the usual technology-based tools, said Patrick Tiquet, vice president, security and architecture at Keeper Security. Tiquet said prevention of this kind of attack really comes down to training and awareness.

“Users must be made aware that this kind of attack exists and how to recognize it,” Tiquet said. “This is the only way of preventing this, short of filtering and analyzing all emails that appear to be an invoice. Security awareness training, to be truly effective, must be continuously updated to ensure that users are aware of the latest threats.”

Patrick Harr, chief executive officer at SlashNext, said companies need to include social engineering scams like these in phishing training programs. Harr said the modern hybrid workforce uses personal technology (bring your own device, or BYOD) and mobile, particularly, as most companies do not have all employees on managed devices.

“Companies need a BYOD strategy that includes multi-channel phishing and malware protection to protect social, gaming, and all messaging apps,” Harr said. “Training should include social engineering scams to demonstrate how personal interactions, such as social media interactions, can impact their work-life.”