This attack impersonated PayPal to send the recipient what looks like a receipt for a purchase of an expensive bathroom mirror TV. The email mentioned that if the recipient has any questions about the order, then they should call a number provided. The display name of the email was set to “do not reply,” indicating that an email response is not possible, so a phone call was the only potential method of communication. The subject of the email indicated the product was out for delivery, adding some potential time sensitivity to any follow-up from the recipient. The email was sent from a likely compromised external email account.

Status Bar Dots
PayPal Fake Billing Scam

How Does This Attack Bypass Email Defenses?

The attack was text-based, so there was little to use for a secure email gateway to determine malicious intent as it does not contain any other indicators of compromise. Because this email was sent from a legitimate account that has been compromised without a history of abuse, there were no direct signals indicating the email’s origin is malicious.

How Can This Attack Be Detected?

To detect this attack, an understanding of new threats is required alongside content analysis to detect the tone of the email and the included phone number. Lookalike content is also helpful to understanding how this attack relates to other phone-based text attacks, which have seen increased popularity in recent months due to their ability to bypass email gateways.

What are the Risks of This Attack?

Had the target called the number provided, they would likely have been instructed to download malicious software onto their computer. Once the malware was installed, attackers would have been able to perform a variety of nefarious actions, including escalating it into a ransomware attack.

Analysis Overview




Malware Delivery


External Compromised Account


Fake Payment Receipt

Impersonated Brands


See How Abnormal Stops Emerging Attacks

See a Demo