PayPal Support Told Me PayPal Here Was Phishing Me

This is the story of how PayPal support tried to convince me that a perfectly legitimate receipt I got from PayPal Here was a phishing email.

On May 27th, my old university email account received an unexpected receipt from a store in Buffalo’s Canalside district:

A screenshot of an emailed receipt from Bows and Bands in Buffalo, NY

When I logged into my PayPal account, it did not show any charges that matched the receipt. It clearly wasn’t a case of someone compromising my PayPal account and using it to run up charges. Either this was a phishing email, or someone was making purchases with PayPal that were associated with my email address (but not my payment methods).

The second possibility isn’t as crazy as it sounds. I went to Cornell University, and lots of people at my alma mater either misremember or mistype their Cornell email addresses; our user IDs consist of our initials and an arbitrary numeric suffix, which some people seem to really struggle with. I’ve gotten a lot of mail over the years that was intended for someone else due to a username mix-up. So, my next step was to take a closer look at the mail headers to see what was going on.

Delivered-To: <my address>
Received: by 10.83.50.130 with SMTP id y124csp707535yxy;
        Sat, 27 May 2017 08:45:53 -0700 (PDT)
X-Received: by 10.55.113.199 with SMTP id m190mr7557462qkc.176.1495899953147;
        Sat, 27 May 2017 08:45:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1495899953; cv=none;
        d=google.com; s=arc-20160816;
        b=O0PF6d2mwAM+S+ro4PLjpyvxDOfFLIC8gk+ORVq3gfEYr4zN+Tb7FHHwWY40avGk/F
         Osz7diDdOPz5Wuh+wqW/U5wVHMop76U7+9xXALsa3qIkmOn0y4X+3iArSs8A5s0Tu7oe
         8kfXud9rY+xPwXQMDlLvYLsTi+9joPnOreRAOiQI0JndL1wwvWOv3P9TvcP4E1WobpwF
         iCf8QkDhGdrK3fm/lkIhjy/3JE7R1ajFM/ibc4vzh3uveEg/KH6YFsBMP0+Cv8mlc5Tr
         uNm87cwLhvNn5RwiKab5Qdud5AWIOwK4H4GFSCymkFiUOZ/+jvBQ87ZWThBOL4fpIfuT
         uxFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:content-transfer-encoding:from:to:subject
         :pp-correlation-id:amq-delivery-message-id:message-id:date
         :dkim-signature:arc-authentication-results;
        bh=5vO7pG/cWJHn2XyHxIJeUwW4zNmTY7kWvhGFAzalLPc=;
        b=x3oSN8EhP9VpAthFdpCTOqDA4azU+cqwCehLLJw6SfdmP2IPSWn8WPbKaYaYvr99Jl
         bF29LQF9ZqdhUzULf+W7QZuhjO2u0dE6J+tkXzryYKsiP2Sw5plVqI7ztQOewIZ9XwXI
         xqkq0iaAXpYOoVimT/C6fcXqEOPojkcFcQVIEDvPC6YsFuGeGz3LtUVxxixrB5p5kfxq
         kHVRzi9WA0NhEPE9RTu/hB3Tag+smvuJvKQ9skvjXlykyzj7yVk0/5/qbaZMX9fo8675
         O/w1EZiJ3ItK28i37qqiLa5j8KzCtYSq4MwFJYsp33m1es7JTk9XlQTMiMGNFXaSHSdD
         sqLA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected];
       spf=pass (google.com: domain of [email protected] designates 173.0.84.226 as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from exchange.cornell.edu (vs-prod-exch2013-04.exchange.cornell.edu. [128.253.150.147])
        by mx.google.com with ESMTPS id i6si4046572qta.64.2017.05.27.08.45.52
        for <<my address>>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Sat, 27 May 2017 08:45:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 173.0.84.226 as permitted sender) client-ip=173.0.84.226;
Authentication-Results: mx.google.com;
       dkim=pass [email protected];
       spf=pass (google.com: domain of [email protected] designates 173.0.84.226 as permitted sender) [email protected]
X-CrossPremisesHeadersFilteredBySendConnector: sf-e2013-07.exchange.cornell.edu
Received: from sf-e2013-09.exchange.cornell.edu (10.22.40.56) by sf-e2013-07.exchange.cornell.edu (10.22.40.54) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sat, 27 May 2017 11:45:51 -0400
Received: from maxima20.mail.cornell.edu (10.22.40.21) by sf-e2013-09.exchange.cornell.edu (10.22.40.56) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Sat, 27 May 2017 11:45:51 -0400
Received: from maxima20.mail.cornell.edu (localhost [127.0.0.1]) by maxima20.mail.cornell.edu (Postfix) with SMTP id 3wZnQl13Tdz1xmw for <<my address>>; Sat, 27 May 2017 11:45:51 -0400 (EDT)
Received: from mx2.slc.paypal.com (mx1.slc.paypal.com [173.0.84.226]) by maxima20.mail.cornell.edu (Postfix) with ESMTPS id 3wZnQk2pb5zFpVm for <<my address>>; Sat, 27 May 2017 11:45:50 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed; q=dns/txt; [email protected]; t=1495899949; h=From:From:Subject:Date:To:MIME-Version:Content-Type; bh=5vO7pG/cWJHn2XyHxIJeUwW4zNmTY7kWvhGFAzalLPc=; b=nzmJ3qdv3gwf+xqFNZSQWAw8T2BY6EiULQi7NInipa7BMVGwmB+Ljhboqq7C8vpf NTJhDQ7DNfFVb9g4BamD6aLIYlbvWFsmZJKteHXYCQinB5ur2F3w/Qrghv4S9FmB qp0hOzUu/eXous9UJp0dxVfAfhwPnNyggdCJsigee9XY80pO1GuBFCnel0SDaFDB fOBMpNtT92sTXqSY39rNoeCReDFG7F5hulS88cHXCV2hytxkyhp1MzS5vK8ioEKk i9Pky48nmBMWA46Jq6t8eUTDD/mAoImvnlkD3nSdXyHW+7e0IPsD9DT2kJoGeSAq Z9WoXo0z4E9/kP5dBRzPIA==;
Received: (qmail 39632 invoked by uid 993); 27 May 2017 15:45:49 -0000
Date: Sat, 27 May 2017 08:45:49 -0700
Message-ID: <[email protected]>
AMQ-Delivery-Message-Id: EMAILDELIVERY-Notification_EmailDeliveryEvent-148-1495899943216-1307475200
X-PP-REQUESTED-TIME: 1495899931000
X-PP-Email-transmission-Id: 8ad2c6c6-42f3-11e7-85b6-441ea1478e4c
PP-Correlation-Id: a15443bf87354
Subject: Receipt from Bows and Bands by JC for $28.00 USD
X-MaxCode-Template: PPX001660
To: "<my address>" <<my address>>
From: Bows and Bands by JC <[email protected]>
X-Email-Type-Id: PPX001660
Content-Transfer-Encoding: base64
Content-Type: text/html; charset=UTF-8
MIME-Version: 1.0
X-PMX-CORNELL-AUTH-RESULTS: dkim-in=pass;
X-PMX-CORNELL-AUTH-RESULTS: spf=missing;
X-PMX-CORNELL-SPAM-CHECKED: maxima20.mail.cornell.edu - Sat May 27 11:45:51 2017
X-PMX-Version: 6.3.3.2656215, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2017.5.27.153616, AntiVirus-Engine: 5.38.0, AntiVirus-Data: 2017.5.27.5380002
X-Original-Sender: [email protected] - Sat May 27 11:45:51 2017
X-PMX-CORNELL-GAUGE: Gauge=X
X-Cornell-EOP: Passed
Return-Path: [email protected]
Received-SPF: SoftFail (sf-e2013-07.exchange.cornell.edu: domain of transitioning [email protected] discourages use of 10.22.40.21 as permitted sender)
X-ORG-HybridRouting: 6ac62ebfcffa68690fa62b9af019a92a
X-ORG-RouteOnPrem: False
X-ORG-MsgSource: inbound
X-OrganizationHeadersPreserved: sf-e2013-07.exchange.cornell.edu
X-Cornell-Compliance: Passed

[...]

As you can see, the email headers indicate that this email did indeed originate from the paypal.com domain. It passed both SPF and DKIM authentication, which (at least in theory) proves that the email wasn’t forged. Something very strange was going on here.

The next thing I did was take a look at the “View your receipt” link in the email body. This link seemed to point to a paypal.com address and did not seem to be at all malicious (no sketchy URL parameters), so I copied the link’s target, pasted it into a text editor to be extra-paranoid, and then pasted it into my browser’s address bar. It took me to this totally innocuous page:

A screenshot of a PayPal Here receipt from Bows and Bands in Buffalo, NY

It’s worth pointing out that the credit card number included in the receipt did not match any card that I own. Otherwise, there was nothing strange about this receipt (well, other than the fact that I hadn’t bought anything from this store). The only JavaScript the page was executing was a small, un-obfuscated script that sent analytics data back to a server on the paypal.com domain. I was never prompted to enter any account credentials or otherwise sensitive information. The site also used a valid SSL certificate for PayPal:

A screenshot of Google Chrome's certificate viewer confirming that the site's security certificate is valid

If this was a phishing attack, it was either the best or worst phishing attack in the world, depending on your perspective. It was pretty clear to me that this was a legitimate email that was sent to my address mistakenly, so I called up PayPal’s customer support number to try to figure out what was going on.

PayPal’s phone support is pretty aggressive in trying to prevent you from talking to a human being. It’s a voice-activated menu system, and when I said I wanted to discuss an unexpected email, it played me a generic message about phishing prevention tips and hung up on me (!). I called back and just repeated “I want to talk to a person” over and over until the system said that it would connect me to an agent.

The agent I spoke with might as well have been a recording. After I explained what was going on, she immediately told me that the email was a phishing message because, apparently, PayPal never emails you a link to view a receipt and always begins its emails with a greeting that addresses you by name. I asked her how she could explain the SPF and DKIM authentication, the valid SSL certificate, etc. and she did not seem to understand what those things were. She just kept repeating the same scripted lines about phishing messages over and over again like a broken record. I finally gave up and ended the call.

It seemed pretty clear to me that PayPal support is useless, and I was annoyed enough that I closed my PayPal account entirely. I figured that this would just be one of life’s unsolved mysteries and hoped that I wouldn’t keep getting receipts intended for this mystery person.

Then something funny happened. A couple weeks later, my mom asked me if I could forward her a receipt she was expecting from a shopping trip she took to Canalside. The shop she was in used “some PayPal thing”, she explained, and for some reason it associated her phone with my Cornell email address. Oh.

So, to sum up:

  1. PayPal support’s guidelines for identifying fraudulent emails flag legitimate receipts from PayPal Here as phishing messages.
  2. My mom’s phone is somehow associated with my college email address as far as PayPal Here is concerned, and neither of us know how or why. There’s probably a simple and obvious explanation that will make me feel dumb when I hear it, but…
  3. …PayPal support is pretty useless because it’s so scripted and automated that it’s incapable of addressing any kind of unusual or unique situation.

What I find most bizarre is that I got a very strong sense that no one on the consumer-facing side of PayPal had any idea that PayPal Here even existed. The agent I talked to seemed confused when I said the receipt was for an in-person transaction, not an online sale. PayPal’s help center barely refers to PayPal Here, and the material is almost all directed at business owners. I don’t know if the product is just neglected overall of if PayPal was so worried about trying to market it to businesses that they forgot about all of those businesses’ customers who will also be using it.

What a mess.