PayPal phishing email

[Kryten]

I recently closed both my PayPal accounts, one personal and the other business. This was sent to my personal account.
I'm this is a scam but how have they spoofed [email protected] email address? I'm posting the header text if that helps. You can see the View Estimate does actually take you to the PayPal website. I don't know who Killo Carter is. The email tells me my PP account has been accessed illegally or words to that effect.

Any ideas most welcome, thanks guys.

"[email protected]" <[email protected]>
Estimate from Billing department Of paypal (0106)
To: My Details removed by me
Delivered-To: My email address
X-Pp-Requested-Time: 1665822733272
Pp-Correlation-Id: f532255291939
X-Xpt-Xsl-Name: nullval
X-Pp-Priority: 0-none-true
X-Spam-Report: Action: no action Symbol: ARC_NA(0.00) Symbol: R_DKIM_ALLOW(-0.20) Symbol: RWL_MAILSPIKE_POSSIBLE(0.00) Symbol: FROM_DN_EQ_ADDR(1.00) Symbol: DWL_DNSWL_MED(-2.00) Symbol: R_SPF_ALLOW(-0.20) Symbol: TO_MATCH_ENVRCPT_ALL(0.00) Symbol: TO_DN_NONE(0.00) Symbol: RCVD_DKIM_ARC_DNSWL_MED(-0.50) Symbol: RCPT_COUNT_ONE(0.00) Symbol: MID_RHS_NOT_FQDN(0.50) Symbol: DKIM_TRACE(0.00) Symbol: RCVD_IN_DNSWL_MED(-0.40) Symbol: DMARC_POLICY_ALLOW(-0.50) Symbol: WHITELIST_DMARC(-7.00) Symbol: MIME_HTML_ONLY(0.20) Symbol: RCVD_COUNT_ONE(0.00) Symbol: FUZZY_BLOCKED(0.00) Symbol: WHITELIST_SPF_DKIM(-3.00) Symbol: FROM_EQ_ENVFROM(0.00) Symbol: MIME_TRACE(0.00) Symbol: ASN(0.00) Symbol: RCVD_TLS_ALL(0.00) Symbol: NEURAL_HAM(0.00) Symbol: ONCE_RECEIVED(0.10) Message-ID: 3B.48.26877.5107A436@ccg01mail02
Return-Path: <[email protected]>
X-Maxcode-Template: PPC001840
Mime-Version: 1.0
Authentication-Results: mx1.lhr.stackcp.net; iprev=pass (mx0.phx.paypal.com) smtp.remote-ip=66.211.170.86; spf=pass smtp.mailfrom=paypal.com; dmarc=skipped
Content-Transfer-Encoding: quoted-printable
Dkim-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; [email protected]; t=1665822741; h=From:From:Subjectate:To:MIME-Version:Content-Type; bh=xzYlohkOJ1gmgD3KSNgKAIVbAjckIJdaDc1mKRqrepw=; b=gztfWeKlDbsJ/XsdhjJ+NQzbZiEvh06bRQWe75tFzRcnq7c/g4o9meCDUJzZp1XW 2Y3FXpV4dY1rcNedBzmt0smN5GsRYjMaZcW0YYrfeFf9/9YN76T5hKf5V4GhX3hT nJ+dhp9mjeLtl3rKENwG72rqh6Tndiw6ZWBslkE+trHWZsLEzbsK4paP9AMQmOkH Z5Fmhj2Fy+EdSne5p67N9vu7eNJgyXdO1hwIkCazUuOP7mSKNRrmTh0ALcEso7qz DnIp1x4iTGlSbnfPC4H7/W5YYLJiiAT+mxNpLD2h/TVe1iWa5N9+E55Ac4jR9RlM fKN0rv0xaMrjNEaEEHe8rA==;
<3B.48.26877.5107A436@ccg01mail02>
X-Spam-Score: -12.0 (------------)
X-Email-Type-Id: PPC001840
Content-Type: text/html; charset="UTF-8"
X-Pp-Email-Transmission-Id: e108f16c-4c63-11ed-bf28-3cfdfeec12bc
Received-Spf: pass (mx1.lhr.stackcp.net: domain of paypal.com designates 66.211.170.86 as permitted sender) client-ip=66.211.170.86; envelope-from=[email protected]; helo=mx0.phx.paypal.com;
Amq-Delivery-Message-Id: nullval
Received: from mailauth4.lhr.stackcp.net ([10.4.13.3]) by mail18.lhr.stackcp.net with LMTP id wHggLhdwSmMUJwAA2vlgcg (envelope-from <[email protected]>) for <My email address>; Sat, 15 Oct 2022 09:32:23 +0100
Received: from mx1.lhr.stackcp.net ([10.4.12.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by mailauth4.lhr.stackcp.net with LMTPS id eMLyLBdwSmNgTQAAl5XFYQ (envelope-from <[email protected]>) for <My email address>; Sat, 15 Oct 2022 09:32:23 +0100
Received: from mx0.phx.paypal.com ([66.211.170.86]) by mx1.lhr.stackcp.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <[email protected]>) id 1ojcal-000549-1B for My email address; Sat, 15 Oct 2022 09:32:23 +0100

 

[Lifeisabeach]

I would normally expect this to be a phishing email, but you did all the right things by checking the headers and hovering over the clickable link to verify where it leads to. It looks legit to me, but I'd rather another member check behind me on this. I would CALL PayPal using the number on their website rather than fish around any links on that email regardless.

 

[pigoo3]

Check out these links regarding Paypal scams:

How to tell if an email is really from PayPal

PayPal is one of the most impersonated companies in the world. So how can you tell if an email if really from PayPal? Let's hash it out.

www.thesslstore.com

PayPal Phishing Scam Uses Invoices Sent Via PayPal – Krebs on Security

krebsonsecurity.com

 

[Kryten]

Thanks Gents. That second link Ian looks more like what I received with small differences. Out of interest I tried calling the 0800 number, after dialling 141 and it didn't connect. I will try calling PP but in the meantime I can't login to the account because it's closed. But also out of interest I created a new account under the same email address name, address and details, but not including bank/card info and I didn't receive any 'An account already exists etc., etc' So probably my original bank & card info has been deleted, I'm hoping.
It's just making me wonder whether someone at PP has gone rogue because he's about to lose his job with 1,000s cancelling their PP account recently.

 

[Lifeisabeach]

Thanks Gents. That second link Ian looks more like what I received with small differences. Out of interest I tried calling the 0800 number, after dialling 141 and it didn't connect. I will try calling PP but in the meantime I can't login to the account because it's closed. But also out of interest I created a new account under the same email address name, address and details, but not including bank/card info and I didn't receive any 'An account already exists etc., etc' So probably my original bank & card info has been deleted, I'm hoping.
It's just making me wonder whether someone at PP has gone rogue because he's about to lose his job with 1,000s cancelling their PP account recently.

Ah yes, I missed the second link that Ian had posted. That definitely matches what you have going on. I overlooked the number they provided in the email you posted, and that totally is a scam. It's been a while, but I've received a few of those and the phone number was a giveaway.

BTW, why do you say thousands of people are cancelling their PayPal accounts?

 

[Kryten]

BTW, why do you say thousands of people are cancelling their PayPal accounts?

Since PayPal blocked some high profile user accounts, personal and business because they disagreed with their freedom of speech agenda. And also PP announced that ANY account that they found guilty of providing 'Misinformation' would have £2500 removed from their account as a fine. Seriously Google it. There has been a huge backlash for PP thinking they can do that as if they were an official governing body.
They have since withdrawn these statements and re-instated the closed accounts claiming that this was never meant to happen.
If you value your freedom of speech you might consider the same action.

 

[Lifeisabeach]

Bah. PayPal states that the $2500 fee thing was an error. I'm not sure I believe if it really was one (that is one very specific error), but as a private business, they absolutely have the right to discontinue business with people who promote hate, violence, etc etc, and SHOULD! I see you are in England, but here in the US, in spite of what many people think, the Constitutional right to "free speech" is to protect the people against government censorship. Businesses are not the government and can censor as they see fit. This very forum you are on will censor you if you run afoul of the TOS.

 

[MacInWin]

Not wanting to get political, but the uproar was not because they wanted to cancel accounts of folks they disagreed with over some item, that was bad enough, but they put in the T's and C's that they would then "fine" the victim by taking $2500 from their PayPal account in addition to the cancellation. And since PayPal has bank account information, it wasn't much of a stretch to see them taking that fine from your bank, if they wanted to do so. Hence the somewhat frenzied reaction when this came out in the public arena. For my wife and I, personally, we did cancel the one account that had a balance and only use PayPal to pay for things, not to accept payment for anything we might sell. You never know when an "error" turns into a trial balloon and then into fact. They don't have our bank information and we've changed all accounts they had known about.

 

[Kryten]

Absolutely agree about spreading hate, violence etc. Sometimes even words like Muslim, the WEF, Klaus Schwab can get comments removed just for that. There is huge problem in the Netherlands with the government physically taking land off farmers, forcing them to leave under the guise of too much global warmth. The Dutch are the world's second largest exporter of food and that's about to change. Your Bill Gates is now the biggest farmland owner in the US - why? They want us to eat bugs and less meat. The WEF have openly said they want to remove private car ownership, they actually said that.

The freedom of speech I and the others are talking about is the right to question what these agendas actually mean long term, for all of us and have open debate, that's all. But hey sorry, rant over.