As I was getting ready to enjoy a couple relaxing hours this evening on the 8th of July, 2019, a notification popped up via KDE Connect from my phone. Ordinarily, if it’s an email (which this was), I’d ignore it and go about my business. But something caught my eye: It said “invoice” somewhere in the text and also mentioned “GoDaddy.”
Puzzling, I thought, because I have all GoDaddy-related emails go to a separate folder, and they typically say nothing about an “invoice” in the message text. I quickly clicked on my email and, there, at the bottom of the window, sat a new message from PayPal with the title “Invoice from GoDaddy” with one of my domains in parenthesis at the end.
Before I continue, I’ll confide a small secret: I panicked. Oh, yes, I panicked. I don’t know why, because I use a password manager for everything, and 2FA where possible, but there’s always a small seed of doubt lurking in the darkness, desperately trying to convince you of the worst.
Escaping from my brief delirium, shortly after rationality finally kicked back in, I thought to myself “Ah-hah! It’s most likely this is a phishing email! This is the first one I’ve received in quite a while!”
I won’t deny that I felt the pangs of confidence–and a healthy sprinkling of arrogance–as I clicked through to examine the email headers in their entirety. Of course it was going to show up as an email that neither originated from PayPal nor from any reputable email service except, perhaps, from a hacked account being exploited for spam.
As I scrolled through the DKIM signatures and the SPF validation, not to mention the SMTP exchanges that clearly identified this as a legitimate PayPal emailing, reality set in. This wasn’t going to be quite so simple as an email scam. This was, in fact, a legitimate mailing from PayPal themselves.
Now, I’d be lying to you if I said that I was completely free of my panicked state. Nay, it returned, with somewhat more strength, to concern me even more deeply that perhaps my PayPal account was victim of an as-yet unknown attack or exploit. Quickly, or as fast as fumbling and vaguely worried hands could manage, I logged in to my PayPal account. There, at the bottom of the activity list, was an invoice–for $56.00 USD.
First, I’ll point out that this is just an invoice. It doesn’t mean that any money has exchanged hands. Yet. But it was still cause for alarm, because someone had decided it might be cute to exploit trust and the general imposition people feel toward settling outstanding debts for services rendered. To say this is a scummy, disgusting practice would be something of an understatement.
However, here’s where the scammer made a couple of critical mistakes (ignoring the more obvious ones–more on that momentarily). Of these, the most obvious was their account name on the requested transaction: It was written in Russian. Second, the string they used for “GoDaddy” did not match what GoDaddy actually uses for their billing statements. I don’t expect most people would consider the latter until it was too late, but I think the Russian name might’ve been something of a flashing neon sign that really ought to give pause for thought.
There were a couple of other clues that immediately shouted “SCAM!” (in capital letters), but they might not be helpful toward potential victims that have dozens of domains or are otherwise pressed for time and simply cannot consider these alternatives. The first of these was the timing. The domain they were targeting was indeed up for renewal, but they missed the expiration date by one day. I had already received an email from GoDaddy about the pending (automatic) renewal several days before and had it floating around in the back of my head. This invoice was therefore something of a surprise. As such, considering this background provided an immediate indication that something wasn’t quite right. The second was that all of my domains automatically renew. I don’t receive invoices from GoDaddy–only receipts. Oh, and finally, I don’t use PayPal to pay for my domains.
Admittedly, that last one was something of a dead ringer for potential scam (or a cracked account) material.
Before doing anything, I immediately started scouring the Internet for clues. Surprisingly, I couldn’t find anything about fake invoices from GoDaddy. I found some from buyers looking for shoes (of all things), and dozens of examples of phishing emails. This wasn’t a phishing email–this was a legitimate notification from PayPal informing me of an invoice that had been fraudulently sent. So, I did what any self-respecting (lol) person would do in a time of abject puzzlement: Take to Twitter.
It didn’t take me long to find someone else complaining to both the GoDaddy and PayPal Twitter accounts about receiving an invoice for $47 on a renewal that wasn’t up yet. I replied, suggesting that it might’ve been a scam, and that I received something similar.
Of course, I don’t know that the Twitter user in question was complaining about a fraudulent invoice. They didn’t provide enough information to deduce whether or not there was anything off about the invoice they received. But hey, why not offer it up as a possibility?
About 5 minutes later, I had a notification waiting for me on Twitter. It was PayPal’s support account asking for details via DM. I’m still a bit shocked in retrospect, to be completely honest, because I didn’t expect to hear from anyone much less one of the companies in question. I certainly can’t complain, either.
As expected, they asked for account information, location, and the nature of the issue. However, they also asked for screenshots of the offending invoice (couldn’t they see it?). After a brief back-and-forth, they strongly recommended I report it to their abuse department. I was quite pleased with the immediacy of their interest, but it remains to be seen what happens with the abuse report. (I’ll have to wait until later in the week for a reply, if any; I’m not holding out much hope.)
But the saga doesn’t end there.
I’ve heard mixed things about GoDaddy’s customer support. I’ve had a wide array of experiences myself but limited mostly to their sales department (they’re rabid up until the moment you turn off the whole “I’d like to be contacted for sales purposes,” which was apparently re-enabled at some point in my account’s history). I mused for a while about whether GoDaddy should know their name was being exploited for the gains of less savory individuals. I strongly considered against it, I won’t lie, but my conscience got the better of me.
I loaded up their web chat and almost immediately got in touch with one of their support representatives. She (I’ll assume it was a she, based on the feminine accents on the name; if not, for privacy, we’ll just roll with it) asked for my name and a description of the problem.
Well, this was awkward. I hadn’t really thought that far ahead, because the problem wasn’t really a problem with GoDaddy. It wasn’t a problem with my account. It wasn’t a problem with my domains, customer service, or any particular product offering. I told her as much. The problem was weird, I can’t deny that, but I felt someone needed to know. Even if it didn’t matter, at least I could sleep better at night knowing that I tried to do something about it. After all, I can’t be the only one targeted in this scam. What if someone else were to fall for it?
I explained the issue, and she quickly escalated the ticket through the account verification process, and then asked for some additional information. I explained a couple of times that the problem wasn’t with an account or domain per se so much as it appeared to be a new-ish scam, and that I mostly wanted to report it for my own satisfaction.
We went back and forth with a couple of relevant questions, and then she asked for a copy of the scam email. I was somewhat surprised, because I hadn’t exactly received a scam email from anyone. I asked if she meant the PayPal message; she said yes. So, off went the PayPal message (as an attachment to preserve headers), and I asked if she would like screenshots of the PayPal account pages with the invoice. Much to my surprise, she also wanted copies of those.
At this point, I’ll be honest. I don’t know what good any of this is going to do. I do know that the GoDaddy support representative was incredibly helpful, and she seemed genuinely interested in my concern (even going so far as to say “You are such a responsible person” to sate my worries). I was a bit taken back by her kindness, to say the least.
What surprised me with this whole ordeal was GoDaddy’s interest in the problem. They weren’t the ones who were dealing with invoices to third parties masquerading as someone else. They were merely the third party whose name was being exploited to commit fraud. It remains to be seen if PayPal expresses concern outside social media. I hope they do, but for now, it’s been awfully surprising to me that I received far more customer care from a company who couldn’t do anything about the problem. (I say “couldn’t,” even though technically they could, as the scammer was using their name and logos–i.e. trademarks–without permission.) Nevertheless, PayPal’s social team responded to me very quickly, so they at least get a few points for expediency.
All things considered, I feel the night ended on mostly positive terms. The initial shock of receiving a fraudulent invoice that wasn’t via a phishing attempt certainly took me by surprise, but in the end, the positive experiences with a random customer service representative probably half-way across the world expressing concern and compassion for others who could become victims of this scam more than made up for it. It’s a reminder that no matter how big a company is or how variable its reputation is viewed by customers on the receiving end, there are still humans who work for them. Sure, there are humans who typically see it as just another job. That’s normal.
However, no matter how rare it may be, it’s worth noting that there are those who see it as their duty to help. It may be woefully uncommon in our society today, but there are genuinely people who want to do the Right Thing™.
I don’t expect I’ll ever know if the representative who helped me managed to escalate the ticket and share the information about this scam to others who might be able to do something. Even if they could, there isn’t anything GoDaddy could do about this scam in the first place. This is clearly in PayPal’s sphere of influence, but perhaps if they know about it they can inform their customers when they inevitably receive the calls asking “Why am I receiving this invoice?”