Instead of calling victims and wasting time and precious resources, spammers are sending emails to large pools of recipients, urging victims to call the crook's number instead. This way, they reduce their effort to a minimum and ensure that they will only deal with people who are easily deceived and almost ready to get scammed. According to a Kaspersky report, the latest theme used by those actors is a phony order confirmation from a popular online marketplace like Amazon or a payment notice that supposedly originates from PayPal.
The message thanks the recipient for purchasing a typically expensive item like a gaming laptop or an Apple Watch, and it is made to appear legitimate - with full delivery addresses, names, order numbers, invoice details, shipping information, payment method confirmation, etc. If the recipient panics thinking their card or PayPal account was somehow charged by someone else or due to an error, they call the provided support line number.
This number is mentioned multiple times in the email, sometimes even highlighted, but it could also be placed somewhere at the bottom to make the message appear more realistic and not as pushy or suspicious. Unfortunately, this number won’t connect the caller with Amazon, or PayPal, or the seller of the purchased item, but with the scammers themselves.
Those who take this step and hoping to cancel the order and get their money back will be directed to visit a phishing page where they’ll enter their bank account credentials, credit card details, and other sensitive data. In some cases, they are directed to voluntarily download banking trojans on their computers or smartphones. The exploitation depends on what the actors wish to do at a particular time - so anything goes, really.
If you receive an email that makes bold claims of this kind, log in to your bank account or PayPal portal using a new tab (do not click on embedded buttons on the email body) and check if you have really been charged. Do not jump to action without thinking twice about what a random unsolicited email is claiming, and do not enter your bank account credentials anywhere else other than your bank’s official apps or website.