Other ways to search: Events Calendar | UTHSC

Cybersecurity Scam of the Week – PayPal Phishing Scam Sent Via PayPal


One of the red flags to look for when examining emails to see if they are scams is if the email address is NOT from the organization you are expecting it to come from. Unfortunately, organizational emails get hacked and start sending out phishing emails to coworkers or customers.

PayPal reported last week a phishing attack using an invoice scam coming through PayPal.com tricking recipients into calling a number to dispute a pending charge. We’ve seen similar phishing attempts for Norton antivirus and Best Buy’s Geek Squad. While other red flags were present, such as a poor use of grammar, the email came from PayPal, or at least a compromised PayPal Business Account, which tricked recipients into a sense of legitimacy. 

Be suspicious of every email, especially those that want you to act urgently to do something, such as giving away your money or your information.  In this case, if you get a similar email, instead of clicking on the invoice or any link, log into your PayPal account and search for outstanding invoices there. KrebsonSecurity has the full article

Since the start of the fall semester on all UT campuses, we have seen an increase in compromised accounts throughout the system, usually using the scam of part-time employment to entice students to apply for jobs that are too good to be true. Since these are UT accounts, you don’t see the [Ext] in the Subject line, but you still have to be suspicious of every email. 

What has been reported to abuse@uthsc.edu this past week?

  • [Ext] New Text Message from (phone number) – this is a prime example that bad actors are using more attack vectors than just email. A text message recorded by Ring Central wanted the recipient to click a link to either “approve or deny” a charge. 
  • [Ext] Payment Notification – the first red flag is that the From field and the To field have the same name and email address, and it isn’t the recipient’s email. 
  • [Ext] Order Confirmation of your recent Purchase(Norton-7764504610) – we can’t go a week without a Norton autorenewal scam
  • [Ext]  — nothing in the Subject line — a spoofing email, pretending to be someone on campus using a Gmail account asking for a cell number
  • [Ext] Renewal Membership Service Activated Norton – another Norton scam
  • [Ext] Re: Did You Receive My last Email? – the email states it is from United Arab Emirates, but the original email address is from Japan. The email states a “great business proposal” sent not to an individual’s email address, but to a group one. I guess they didn’t know who they needed to talk to about their great proposal. 
  • [Ext] Task – someone else’s name was spoofed from a Gmail account, but this one wasn’t asking for gift cards. This one wanted the recipient to send $1,200 dollars to a “beneficiary”. The grammar on this was very poor. 
  • [Ext] UNDERGRADUATE RESEARCH ASSISTANT – a too good to be true scam. Stating it was from “The University of Tennessee”, it used a @hotmail.com email address. 
  • [Ext] undergraduate student research – another too good to be true scam, this one using an email address originating in Hungary
  • [Ext] [!Your payment is due] – 26-08-2022 – this was an autorenewal scam pretending to be from the Geek Squad.
  • [Ext] Receipt 1304022 – unlike what was described above, this one pretended to be from PayPal but used a Gmail account

Keep reporting suspicious emails to abuse@uthsc.edu for examination. If you wish to report an incident to the Office of Cybersecurity, use TechConnect.