How to fix PayPal's invoice emails

or more simply: how to search text for suspicious things

For months now, scammers have been able to exploit the PayPal invoice system to "request money" or invoice potential victims via email. These emails come from service@paypal.com and therefore look legitimate at first glance. If the particular email user has a PayPal account, they will also see the money deducted in their account and a button to view said request or invoice.

For more information regarding these types of scams follow kitboga on youtube or twitter.

An example invoice email looks like this:

Table of contents:

• Context links
• The "easy" way
• The regular expressions way
• The "how suspicious is this text" way
• The obfuscated way
• The Java Way
• The RUSTy way
• Want to help?

Context links:

• PayPal's information on fake messages

The "simple" way:

Don't allow your users to include phone numbers in the "message" of an invoice.

But if that somehow causes irreputable harm to your business, explore the other options below:

The regular expressions way:

Credit: @codecat

([0-9]{3,}|call|contact|\+1)

Run test: $ python3 python/the_regex_way.py

The "how suspicious is this text" way:

# various phrases to match against, and their "weight" of how bad they are.
sus_words = {
    'cancel': 1,
    'refund': 1,
    'help desk': 0.5,
    'authorized': 0.5,
    '24 hours': 0.25,
    'USD': 0.1
}

for index, line in enumerate(lines):
    line_total_score = 0
    for word, score in sus_words.items():
        if word.lower() in line.lower():
            line_total_score += score

    # decide what to do if the score is too high

Run test: $ python python/score_text.py

The obfuscated way:

Credit: @codecat

char l[512];int c(char f[]){int i=0,m=0,c;while(c=tolower(l[i++])){char
e=tolower(f[m]);if(!e)return 1;else if(c==e){if(f[m+++1]=='\0')return 1
;}else m=0;}return 0;}int main(){int s=0,t=0;FILE*fh=fopen("../invoice"
"s.txt","rb");while(fgets(l,512,fh))++t&&(c("suspicious")||c("unauthor"
"ized")||c("+1")||c("geek squad")||c(" call"))&&s++;printf("%d / %d\n",
s,t);}

The one line node.js way:

Credit: @Nomnivore

import("fs").then((fs) => fs.readFileSync("./invoices.txt").toString().trim().split("\n").forEach((l, n) => l.search(/([0-9]{3,}|call|contact|\\+1)/) >= 0 ? console.log(`line ${n} is likely a scam`) : console.log(`line ${n} is likely not a scam`)))

The Java Way:

Credit: @datatags

private static final Pattern PATTERN = Pattern.compile("[0-9]{3,}|call|contact|\\\\+1");
public static void main(String[] args) {
    try (BufferedReader reader = new BufferedReader(new FileReader("invoices.txt"))) {
        reader.lines().forEach(line -> {
            if (PATTERN.matcher(line).find()){
                System.out.println("ඞ sus thing found: " + line);
            }
        });
    } catch (IOException e) {
        e.printStackTrace();
    }
}

The RUSTy way:

Credit: @jasonverbeek

fn rate_lines() -> Result<()> {
    let file = File::open("../../invoices.txt")
        .or_else(|_| ErrorType::IOError.as_error("Could not open invoices.txt"))?;
    let lines = std::io::BufReader::new(file).lines();

    for (i, line) in lines.enumerate() {
        let mut score = 0;
        if let Ok(line_str) = line {
            for sussy in SUSSY_WUSSY {
                if line_str.to_lowercase().contains(sussy) {
                    score += 1;
                }
            }
        }
        println!("line {} has a sussy wussy score of {}", i, score);
    }
    Ok(())
}

Want to help?

There are currently (12/22/22) 12 sample invoices in text form in invoices.txt. If you have some code that could solve this task, please let me know and I will try to keep this up to date.