The invoice comes with a "Note from Zachary Bos: purchase of Binance Coin (BNB) $ 789. 97 was approved. If you have not done this and need the Refund, Call us immediately at + 1 (877) 462-0959"
The e-mail is legitimate, so I logged into PayPal and I see that the invoice is actually so well formatted that it manages to inject that fake contact number almost perfectly (see the screenshot attached). Nothing else makes sense, but I can imagine many will actually call this number under impression that it is a legitimate PayPal number. I actually called them, got a long-distance DTMF signal for a few secs, someone with South-Asian accent responded, I hung up immediately. They called from another number, same person, pretending they were PayPal. I immediately jumped into the "no you're not, you m***cker" rhetorics, and they responded back in their own language, presumably with their own slurs.
How is it possible that a company this big can let something like this slip through? Allowing users to format the invoice and add a fake contact number must be to the anti-phishing team what allowing SQL injection is to the backend team?
EDIT: I also realized that this is a UI failure, as the note is prepended with an ambiguous "Note to customer:", instead of e.g. "Note from the invoice issuer:"