Contact us
Contact us

News

About

Home Crypto News Fake-invoice campaign targets PayPal and Amazon users

Fake-invoice campaign targets PayPal and Amazon users

Author Whitewallet Research
Posted: 3 June 2026, 18:33 CET 2 min read

Malwarebytes found a fake-invoice email campaign in mid-rollout using incomplete templates, placeholders and live callback numbers to get users to call scammers.

Malwarebytes found a set of fake-invoice emails that were being prepared and partly sent, impersonating PayPal, Amazon and Geek Squad. Some templates were incomplete and showed placeholder fields, while others included real phone numbers and were already reaching inboxes.

The emails present bogus receipts or renewal notices and urge recipients to call a provided number to cancel or dispute a charge. The campaign uses realistic-looking receipts and urgent language to encourage immediate phone contact. The tactic relies on social engineering over voice calls rather than on malicious links or attachments.

Researchers recovered multiple templates that still contained merge-field placeholders such as #TFN#, #DATE#, #PRICE# and #EMAIL#. The presence of both unfinished templates and populated messages indicates the operation was in the staging phase and appeared to use a bulk-sending tool to fill those fields before launch. TFN in the templates is shorthand for a toll-free number used as the callback line.

The fraudulent invoices typically list charges in the few-hundred-dollar range. When victims call the supplied numbers, operators may ask them to install remote-access software, provide full card details to process a refund, or accept an “over-refund” and then return the difference by gift card or bank transfer. Malwarebytes traced the campaign to several domains and callback lines. Identified domains include invoicepdfin[.]xyz, invoicepdfus[.]xyz, invoicepdfusa[.]xyz, invoicerep[.]xyz, invoicestatement[.]xyz and invoicestm[.]xyz. Callback numbers include 804-392-2793 and 801-640-8589.

Malwarebytes stated that simply receiving one of these emails does not create a technical risk. The risk begins when a person calls the number or follows instructions from someone on the call. If a user called and followed directions from a caller, recommended steps include running a full security scan, contacting the bank or card issuer immediately, changing critical passwords and enabling multi-factor authentication.

The company advised verifying unexpected charges by signing in directly to the account on the official website or by calling the number on the back of a bank card, rather than using contact details supplied in unsolicited emails. It also recommended reporting suspected phishing to the impersonated company’s abuse channel and to consumer protection authorities. The investigation provided evidence of a scam operation before full deployment, showing half-built templates and active messages in circulation.

Whitewallet Research
Author

Articles by this author

Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
4 days ago
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21
Global South trails in generative AI, Microsoft finds
Global South trails in generative AI, Microsoft finds
may 21
Anthropic lets Glasswing partners publish Mythos-found flaws
Anthropic lets Glasswing partners publish Mythos-found flaws
may 19

Latest News

MORE
FCA warns Premier League over unauthorized crypto sponsors

FCA warns Premier League over unauthorized crypto sponsors

11 hours ago 2 min read
Snowflake and Anthropic deepen Claude integration in Cortex

Snowflake and Anthropic deepen Claude integration in Cortex

13 hours ago 2 min read
Peter Schiff Predicts Bitcoin Drop Below ,000

Peter Schiff Predicts Bitcoin Drop Below $20,000

18 hours ago 2 min read
Hoskinson Blasts Cardano Governance as TapTools Shuts Down

Hoskinson Blasts Cardano Governance as TapTools Shuts Down

1 day ago 2 min read
MORE