amInnovations in payment processes have introduced a wide range of opportunities for
legitimate businesses to market their products and services to a broad audience. The
convenience and ease of peer-to-peer (P2P) payment applications provide a direct, cost-
effective method to receive funds from customers for businesses of any size. However,
unlike traditional financial institutions such as a bank or credit union, P2P apps do not have
a physical location its users can visit to talk directly with a representative, and the focus on
digital interactions provide an opportunity for scammers to impersonate representatives to
carry out a range of schemes. Recently, reports to BBB Scam Tracker from Texas residents
have brought a new PayPal impostor tactic to light. Using a high-tech approach, some
victims of this scam report losing over $80,000 under the assumption they are disputing an
unauthorized charge.
How the scam works:
Victims receive what appears to be a confirmation email from PayPal for an expensive
product, typically over at least $1,000. The email closely mimics a legitimate PayPal
confirmation, including the design, PayPal logo, order number, and shipping details from a
supposed supplier. In multiple places in the email, bolded or red text emphasizes a call-back
number to dispute the transaction. However, the phone number provided does not connect
the victim with PayPal but with an impostor that begins to guide them through the next
steps.
The impostor directs the victim to download and run a Reason ReFill Sound Bank File (RFL)
to reverse the pending charge. RFL files (e.g. FileName.rfl) are commonly used within the
music industry to compress and transfer samples, songs and patches. However, their use
also extends to storing databases or running virtual prototypes and simulations. The general
public’s unfamiliarity with the RFL file type assists the scammer by requiring the victim to
rely more heavily on their guidance, such as helping the victim to download a program that
can read and open an RFL file as opposed to more widely-used file extensions such as
Microsoft Word (e.g. FileName.docx) or Excel (e.g. FileName.xlsx).
After opening the file, the victim encounters a dashboard that appears to be designed to
handle their reimbursement request. Following the impostor’s directions, they input the total
cost of the transaction included in the invoice and their banking information. Although the
dashboard appears to be legitimate, it is designed not to recognize decimal points and
seems to credit the victim’s account with an excessive amount of money when submitted.
For example, a $1,999.99 pending charge becomes a $199,999.00 account credit. Using
fear or coercion, the scammer directs the victim to make wire transfers (or other
unprotected method) from the credited account to return the ‘excess’ funds. Often, they will
ask for the total payment to be provided through a series of smaller ones or claim they did
not receive a previous transfer. In either case, the victim is out the amount of money they
‘returned’ when the pending credit is detected as fake and removed from their account.
How to avoid
Verify PayPal purchase history and details using the official app or going directly
to the website. Avoid clicking on any links in the email itself that claim to direct you to
PayPal, as they may send you to a lookalike website instead. Be wary of phone numbers in
unsolicited emails, as they may connect you with an impostor.
Research the suppliers’ address. Scammers use well-known sellers in fake invoices and
often fabricate business addresses or use a residential address in their place. A quick
internet search of that address can help determine if it is a physical location associated with
the product supplier. For example, some email screenshots victims provided to BBB showed
an Amazon supplier located at a Farland Avenue address in San Antonio, Texas. A quick
internet search will find no Amazon supplier at the address and, even more telling, no street
in San Antonio named Farland Avenue.
Check the email address the invoice is coming from. Look at the domain and name of
the email address that sent the invoice. Official communications should come from an email
account associated with the business rather than a personal or generic domain. Be wary of
immediately trusting an email that uses an official email address as the Name of the
account, as these can be fake. The full email address is often included in parentheses,
brackets, or delimiters after the name.
Never reimburse excess funds through another payment method. Common in fake
check scams and fraudulent employers, be wary of returning overpaid funds provided via
one payment method through another. Scammers often ask for immediate reimbursement
before your financial institution can verify a pending transaction. As much as possible, avoid
returning excess money through immediate and direct methods such as gift cards, wire
transfers, and unprotected mobile app transactions. Scammers know that these methods
are fast and challenging to reverse.
Double-check the URL and domains. Scammers often switch around domains and
subdomains to impersonate a business. For example, they may change PayPal.com to
info.PayPal.com, Pay.Pal.com, PayPal.Returns.com, or any other variation. Additionally, links
in an email may direct you to a completely different URL than the one highlighted. Use only
known and trusted methods to communicate with businesses, such as their official mobile
app or typing the website's URL directly into your internet browser.
For more information about how to spot and avoid impostors and other scams, visit
BBB.org/AvoidScams.
