As a business, I'm often surprised at how many charges come through that surprise me. In a world of cheap apps, micro-subscriptions, and a plethora of payment methods, it's got to be quite lucrative to be an internet scammer these days.
My good friend, Adam, forwarded me an invoice scam this morning that he received for his Real Estate CRM. Unlike a spoofed phishing email, where the sender fakes their sending email address, this one actually sends through PayPal invoicing – a legitimate sender.
Unless you have privacy set on your domains, anyone can do a Whois lookup and identify your email address and the expiration date of your domain registration. Using PayPal, they create an actual invoice and send it through their system over to you. In this case, they even branded the invoice with GoDaddy – the registrar.
If you're a larger corporation, this may very well pass through and get paid despite it not being the actual domain registration service. When Adam clicked through, it was a Russian email address set for the recipient. He reported it to PayPal and hopefully they're shut down, but this is still quite troubling since it's an actual invoice being sent by an actual service.
It seems there could be a great opportunity here for services like PayPal to create an agreement between buyer and seller that they actually know one another and have a trusted relationship… instead of PayPal simply allowing anyone to send anyone else an invoice.