Another PayPal phishing scam is circulating, this time with email notifications about recurring or automatic payments. The messages originate from a legitimate PayPal address, allowing them to evade some security filters and leave recipients worried that their accounts have been compromised—perhaps just enough to ignore the obvious red flags and call or email scammers back.
I personally have been targeted by this scam with at least five separate emails, though all have gone straight to my spam folder. Here’s how scammers are exploiting PayPal settings to land in your inbox.
How the PayPal scam works
If you’re targeted by this campaign, you may receive an email with the subject line “Your automatic payment status has changed” or “Recurring Payment Reactivated.” The layout imitates a real PayPal notification and includes a message about a high-dollar payment being “successfully processed” along with a customer service email and phone number to contact PayPal support.
The email is full of red flags: It is addressed to a random name (or, in one of the messages I received, “Hello Update Invoice”), has poor spelling and wonky formatting, and simply doesn’t make sense. You can easily spot oddities like bold text and Unicode characters, which BleepingComputer notes is a trick used to bypass spam filters and keyword detection.
Credit: Emily Long
Where the trick lies is in the sender field, as the email comes from service[at]paypal[dot]com, a legitimate PayPal address, and paypal.com is in the signed-by field. As Malwarebytes Labs describes , this is likely an abuse of PayPal’s subscription billing feature. If a merchant pauses a customer subscription, the user will receive an automatic email from PayPal notifying them that their payment is no longer active. Scammers are likely setting up fake subscriber accounts using Google Workspace mailing lists, so automatic emails being generated are sent to everyone on those lists. If you look at the “To:” field, you’ll see that the message isn’t actually addressed to your email.
Exploiting these types of loopholes to make phishing emails seem legit is a common tactic, and I’ve covered several similar PayPal phishing campaigns already this year. According to a statement provided to BleepingComputer, PayPal is working on mitigating this specific flaw.
Ignore PayPal payment notifications
If one of these PayPal messages lands in your inbox, don’t engage with it. Scammers frequently use emails, texts, and calls about account security and financial transactions to scare you into action, and the impersonation of trusted institutions is often pretty convincing.
If you are concerned about activity on your PayPal account, go directly to the app or website and log in to view alerts and check transactions. Do not use contact information or click any links in the original notification, as this increases the chances of compromising your information or downloading malware to your device.
