The email advised that a new address had been added. Just yesterday, I'd purchased $375 from Aliexpress (China) using PayPal checkout, so a red flag dropped. It used a well-done copy of a PayPal format email, complete with graphics ...but a few graphics did not render (red flag #2).
Here's the kicker; the return email address was to PayPal.
....But closer mouseover inspection showed another .edu address in the cc or bcc. Aha!!
I went directly to my account. It checked out. No changes had been made.
Satisfied that it was a phishing attempt I decided to send a copy to the PayPal email address used. I immediately received an auto-reply which stated that the address was no longer in use. Aha#2!! The phishers were using a discontinued email address in order to get around the usual mouseover check.
I do not think the average user would have checked past the return address being to PayPal.
+
George Carlin — 'Think of how stupid the average person is, and realize half of them are stupider than that.'
They are getting quite sophisticated.
I think I mentioned that after a trip to the Bay Area I got a text about an unpaid toll. I assume they are running some sort of geofenced ad campaign that lets them grab phone numbers that pass near toll stations. I had never gotten one before, but got that one the day after crossing through a toll plaza.
In that case, I do sort of wonder... it seems like someone with mad skills like that could make more money in a legit business than as a grifter, but I guess the Carlin quote comes into play - there's a lot of money in scams.