A new run of PayPal payment-received clones started hitting freelancer inboxes this week. The visual fidelity is the highest we have seen for this template - and one filter rule still catches it.
What is different in this run
- The reply-to is a freshly registered domain that mimics a payment-processor name.
- The "Total" field uses freelancer-typical numbers ($420-$1,800).
- The "Dispute" link routes through a redirector, not directly to the payload domain.
How it tries to convert
The goal is not to steal a PayPal password. It is to push the recipient to a "dispute" page and then to a credential-harvest layer disguised as a fraud-investigation portal. The harvest is the second click, not the first.
The filter rule that catches it
Block all messages that claim to be from @paypal.com but whose actual SPF/DKIM authentication shows a different sending domain. Most managed inboxes already do this; what is unusual about this run is that the brand-name spoofing in the visible "From" field is more polished, so the user-side test fails. The DKIM-side test still wins.
What to do if you clicked
- Do not enter credentials. If you did, change the password immediately and revoke all sessions.
- Review the linked accounts in PayPal's real settings (open it manually).
- Report the original message to PayPal's phishing inbox and to your mail provider.
Tomorrow
If we see a fresh variant, we will post a quick update. Got a sample? Write to the desk.