Threat Research

PayPal’s Request Money feature can easily backfire

Michal Salát, 20 October 2020

Popular banking services simplify money requests for users and scammers alike

Our team recently came across an email that was reported to us by one of our board members as a potential spearphishing attempt. The email was purportedly sent from PayPal, and the purpose of the email was a request for the recipient to send money.

The email certainly looked suspicious, as in this case, it was totally unexpected. However, upon closer inspection, it proved to be a legitimate email from PayPal. This caught my interest, so I resurrected my archaic account to see where it might be coming from.

After some painstaking remembering of my old password, I was greeted by my account’s home page.

Near the top of the page, something immediately caught my eye: The simple ‘Request’ button. Clicking it led me to a guide informing me that I can send a payment request to up to 20 people at once. So, I gave it a shot. I asked my colleague to send me $500, but to make sure he won’t actually go through with it, I purposefully included a strange and suspicious message.

Once I had crafted my request, it was as simple as clicking the ‘Request a Payment’ button. My colleague would then receive my request in an email notification. 

In addition to being a user-friendly feature, what makes this functionality even more convenient (for better or worse) is the fact that request recipients don't need to be  PayPal users to pay for requests that they receive. All that is required of them is that they have a valid credit card and sufficient funds on it. In case a recipient is slow with the payment, I can send a friendly reminder with a single click of a button in the request overview. This will result in another automatically generated reminder being sent.


Importantly, PayPal is not the only one in this game. I recalled that in the past, I came across a similar feature in my Revolut app. So I went to check it, and bingo: You can request money from others there as well. This time, things are pretty similar, but with one significant difference  — Revolut will not send any message on your behalf. Instead, it will provide you with a link that you need to distribute yourself. This is a slightly better option, as social engineering of a potential victim is slightly harder because they wouldn’t encounter a trusted brand upfront.

During my short research, I discovered that Venmo also has a similar feature. I don’t have a Venmo account myself, but according to their FAQ, users do not need to have their identity verified to be able to request money up to $299. That might make it simpler for attackers to hide their true identities.

So why am I writing about this, you ask? 

PayPal, Revolut, Venmo and likely many others certainly created an interesting and easy-to-use feature to simplify users’ lives. But in doing so, they have also accidentally created a feature for attackers to confuse people into paying for stuff that they have no idea about. The message that I created for this experiment is obviously unconvincing, but a skilled social engineer could write an elaborate message that would raise alarm, for example, about taxes being due, unpaid bills, and so on.

How to stay secure while sending and requesting funds to others

The takeaway from this post is simple: Do not send money to anybody unless you are absolutely sure about the identity of the recipient and the reason that you have received the request in the first place. Any due payments can be verified with the appropriate party using another communication channel, such as your phone.