Thank GOD I'm a fresh major in my college's BAS cybersecurity program.

Without that in-taught instinct I might have fallen for it.

God bless institutions of education, at least when they do their job.

It's no wonder there is phishing coming from fake PayPal accounts. The measures they take to authenticate users have holes you could drive a truck through. And they don't CARE about fixing them. All they care about is having more accounts. Messages to their supposed security reporting emails just trigger a canned autoresponse, and never any effective or even human response.

Supposedly you can't open a PayPal account without providing an email address, and then prove you can receive messages sent to it. When you register a new account, they send a verification message to your registered email address. You're supposed to have to click a unique link inside that message to prove you have access to the address you provided. But if you don't respond, instead of shutting down the account, they just send repeated pleas to activate. And enticements of the amazing benefits of completing your registration. For days and weeks.

If you confirm the email address, you're next supposed to similarly supply a mobile number and prove receipt of calls, texts, or such there. Without these validations you're account is supposed to never become active.

In reality it seems PayPal NEVER shuts down an account that fails to pass its verification screens.

Over a year ago, an email domain I control started receiving PayPal verification messages in its catch-all mailbox. They are addressed to various random addresses at my domain. Over time, quite a few of them. As though someone is gradually testing their technique. For the life of me I still can't figure out how anyone gains from these.

At first I ignored the verification requests as spam. But eventually I started checking SMTP headers on the messages. They really are legitimately from PayPal, and not spoofed. Though at various levels some of them do originate from potentially dodgy email marketing partners of PayPal instead of direct from PayPal.

So I phoned PayPal's support and asked them if these accounts really existed. After multiple calls and attempts to escalate to someone who could understand the situation, eventually I got to someone in security with half a brain. Only half. They did confirm these are real accounts. One of the earliest EVEN HAD A BANK ACCOUNT linked to it!

When I asked how an unverified account could get so far in the initiation process, they just obfuscated. They claim that even with a linked bank account, they will not permit it the PayPal account to receive funds or to make payments. When I asked how I could trust that is true they had no good answer.

Because this is my email domain I'm reasonably confident nobody but me is able to access those mailboxes and receive or respond to the validation messages. This seems to be confirmed because PayPal claims none of the accounts I've checked on are in fully activated status. Though some clearly got farther through the activation process than PayPal would have me believe they can.

Ultimately the only way to shut down these accounts is if I spend hours on the phone across days of multiple calls to get properly escalated to someone with actual power. And then demand each one individually be shut down.

How did the criminals send the emails from one of PayPal's IP addresses? Presumably PayPal's own mail server added the DKIM signature.

To me, this is the most important question and it seems to have been glossed over in the article.