An Indiana mom's experience provides a lesson on how to protect yourself from scam emails
CHICAGO (CBS) -- "No obvious red flags."
That's the assessment by Governors State University fraud expert Bill Kresse (also known as Professor Fraud) of scam emails sent to a Northwest Indiana mom.
Nothing was misspelled.
Nothing looked out of sorts, until she called for help.
Morning Insider Lauren Victory shares more about the surprising trick that could hit your inbox, next.
"We're scared to do anything," Alissa Serrano said. She and her fiancé haven't touched their computer in days.
Earlier this week, a message with the PayPal logo popped up in Serrano's inbox. The email didn't have any misspellings or any goofy characters in the sender's email address. It appeared to be an invoice for $600.
"I'm confused because I don't use PayPal. I was like, 'OK.' Instead of clicking the 'Pay Now/View' (a feature on the email), I called the number," said Serrano referring to the number listed at the bottom of the email to "cancel and claim a refund."
She called it and stayed on the phone for almost an hour.
"He's like, 'Can we do it from a computer? And then I can share you these forms that you can fill out, stop the transaction and get a refund,'" Serrano said. The Northwest Indiana mom told CBS2 that she had no reason to suspect it wasn't PayPal billing on the line because her inbox is filled with messages coming from the same email address: service@paypal.com.
"He was rushing me to fill out the forms," said Serrano who said she started to realize something was amiss. "All of sudden, the screen went black and I'm like, 'Hello? Hello?' And on his end, the phone disconnected."
By then, the scammer had downloaded something to her computer that froze it. She can't open any applications.
Serrano noticed the number from the email was different from the one listed in her PayPal app.
"'Ma'am, I have no record of who you talked to,'" Serrano said a real customer service representative from PayPal told her, advising Serrano to call the police.
PayPal's website offers this tip: "Use caution if you get an unexpected payment notification via email. Always verify every payment notification by logging in to your PayPal account."
"Nobody would know that," Serrano said. "Who would think call this number, it's our billing department (but) it's a scam? Like, you don't think of these type of things."
Fake invoices from service@paypal.com keep coming. Serrano hasn't lost any money yet but is worried about her personal info.
"I'm just a sitting duck," she said, feeling like the only power she has is to warn other not to fall for this trick.
Serrano acknowledged she should not have given access to her computer but we still have questions about what led her to that point.
A PayPal spokesperson could not tell CBS2 how the scammer was able to impersonate PayPal.
She shared the following official statement from PayPal:
"We have a zero tolerance policy on our platform for fraudulent activity, and our teams work tirelessly to protect customers and shut down anyone attempting to defraud well-intentioned individuals or who are found to violate our policies. Nonetheless, we also encourage customers to always be vigilant online and to contact Customer Service directly if they suspect they are a target of a scam or have an unauthorized transaction."
Professor Fraud who independently analyzed the situation for CBS2 offers this advice to the public: "No matter how credible alerts / notifications look, you should check out any link, email address or telephone number before responding. The best way is to not use the link, email address or telephone number contained in the email, but go directly to the company's bona fide, actual website and contact the company at their helpline that is listed there. Better yet if the company has an app (such as PayPal does), go through the app to contact the company and verify the legitimacy of the email that you received."
