Skip to content

BBB Scam Alert: PayPal impostors steal thousands from Texas residents

Innovations in payment processes have introduced a wide range of opportunities for legitimate businesses to market their products and services to a broad audience. The convenience and ease of peer-to-peer (P2P) payment applications provide a direct, cost-effective method to receive funds from customers for businesses of any size. However, unlike traditional financial institutions such as a bank or credit union, P2P apps do not have a physical location its users can visit to talk directly with a representative, and the focus on digital interactions provide an opportunity for scammers to impersonate representatives to carry out a range of schemes. Recently, reports to BBB Scam Tracker from Texas residents have brought a new PayPal impostor tactic to light. Using a high-tech approach, some victims of this scam report losing over $80,000 under the assumption they are disputing an unauthorized charge.


How the scam works


Victims receive what appears to be a confirmation email from PayPal for an expensive product, typically over at least $1,000. The email closely mimics a legitimate PayPal confirmation, including the design, PayPal logo, order number, and shipping details from a supposed supplier. In multiple places in the email, bolded or red text emphasizes a call-back number to dispute the transaction. However, the phone number provided does not connect the victim with PayPal but with an impostor that begins to guide them through the next steps.


The impostor directs the victim to download and run a Reason ReFill Sound Bank File (RFL) to reverse the pending charge. RFL files (e.g. FileName.rfl) are commonly used within the music industry to compress and transfer samples, songs and patches. However, their use also extends to storing databases or running virtual prototypes and simulations. The general public’s unfamiliarity with the RFL file type assists the scammer by requiring the victim to rely more heavily on their guidance, such as ‘helping’ the victim to download a program that can read and open an RFL file as opposed to more widely-used file extensions such as Microsoft Word (e.g. FileName.docx) or Excel (e.g. FileName.xlsx).


After opening the file, the victim encounters a dashboard that appears to be designed to handle their reimbursement request. Following the impostor’s directions, they input the total cost of the transaction included in the invoice and their banking information. Although the dashboard appears to be legitimate, it is designed not to recognize decimal points and seems to credit the victim’s account with an excessive amount of money when submitted. For example, a $1,999.99 pending charge becomes a $199,999.00 account credit. Using fear or coercion, the scammer directs the victim to make wire transfers (or other unprotected method) from the credited account to return the ‘excess’ funds. Often, they will ask for the total payment to be provided through a series of smaller ones or claim they did not receive a previous transfer. In either case, the victim is out the amount of money they ‘returned’ when the pending credit is detected as fake and removed from their account.


How to avoid


Verify PayPal purchase history and details using the official app or going directly to the website. Avoid clicking on any links in the email itself that claim to direct you to PayPal, as they may send you to a lookalike website instead. Be wary of phone numbers in an unsolicited email, as they may connect you with an impostor.


Research the supplier’s address. Scammers use well-known sellers in fake invoices and often fabricate business addresses or use a residential address in their place. A quick internet search of that address can help determine if it is a physical location associated with the product supplier. For example, some email screenshots victims provided to BBB showed an Amazon supplier located at a Farland Avenue address in San Antonio, Texas. A quick internet search will find no Amazon supplier at the address and, even more telling, no street in San Antonio named Farland Avenue.


Check the email address the invoice is coming from. Look at the domain and name of the email address that sent the invoice. Official communications should come from an email account associated with the business rather than a personal or generic domain. Be wary of immediately trusting an email that uses an official email address as the ‘Name’ of the account, as these can be fake. The full email address is often included in parentheses, brackets, or delimiters after the name. 


Never reimburse excess funds through another payment method. Common in fake check scams and fraudulent employers, be wary of returning overpaid funds provided via one payment method through another. Scammers often ask for immediate reimbursement before your financial institution can verify a pending transaction. As much as possible, avoid returning excess money through immediate and direct methods such as gift cards, wire transfers, and unprotected mobile app transactions. Scammers know that these methods are fast and challenging to reverse.  


Double-check the URL and domains. Scammers often switch around domains and subdomains to impersonate a business. For example, they may change to,,, or any other variation. Additionally, links in an email may direct you to a completely different URL than the one highlighted. Use only known and trusted methods to communicate with businesses, such as their official mobile app or typing the website’s URL directly into your internet browser.


For more information about how to spot and avoid impostors and other scams, visit