A cautionary tale for HN::
My mother's bank accounts were hacked earlier today. The attackers seem to be working from inside a PayPal call center.
The attack started when my mother received a legit email from PayPal. The email was a money request for $1,500 to "Gerald". My mother panicked and misinterpreted this email as if a payment were already issued, not just a request. So she called PayPal customer support to put a stop to it. This is where things get interesting.
My mother called the official PayPal customer support (as listed on paypal.com). She was connected to a female customer service rep with an Indian accent. After my mother gave the rep her paypal info, the call quality deteriorated and the rep offered to call my mother back.
The rep called my mother back from a different phone number. The rep proceeded to tell my mother that there was indeed an unauthorized transaction on her PayPal account. The rep then suggested they examine her other bank accounts and ensure they were not compromised as well. The rep asked my mother to download a program to her computer so that she could view her desktop. You can see where this is going. My mother complied, because she assumed she was working with a trusted PayPal service rep.
To make a long story short, my mother ended up logging into multiple bank accounts while the attacker was observing her desktop. The account rep stayed on the line and told my mother to accept all two-factor requests that would soon be coming to her phone. The rep said this was all part of the standard security procedure between financial institutions and PayPal.
Only after the call ended did my mother realize how phishy it all was. She then called me, her computer-savvy son, to get a quick sanity check. I told her she was definitely hacked and we rushed to kill all the outgoing wire transactions that the attackers had initiated. We've changed passwords and are wiping her computer clean.
Here's the cautionary tale: don't let your aging loved ones be fooled by malicious customer service reps.
The scammers probably don't work inside a PayPal call center. They probably contact the victim after some delay, and unless you're certain that the person you spoke to on the official number was the same person who called you back, it's probably someone else.
The other possibility being that the number you thought was official wasn't right? At the time of writing, I'm seeing it as 888-221-1161 and you can probably verify it from the call history on her phone. But if the rep was the same one who scammed you, then it should be easy for PayPal to identify her since they record all of the calls. Of course, they probably won't volunteer her name, but if multiple people complain about being scammed by her, they'll at least investigate.