Cyber Daily Report

News

Home News

PayPal email scam: How it worked before the fix

  • None--securityboulevard.com
  • published date: 2026-01-08 00:00:00 UTC

None

<div data-elementor-type="wp-post" data-elementor-id="42115" class="elementor elementor-42115" data-elementor-post-type="post"> <div class="elementor-element elementor-element-063dbcb e-flex e-con-boxed e-con e-parent" data-id="063dbcb" data-element_type="container" data-settings='{"background_background":"classic"}'> <div class="e-con-inner"> <div class="elementor-element elementor-element-9b963cd elementor-widget__width-inherit elementor-widget elementor-widget-heading" data-id="9b963cd" data-element_type="widget" data-widget_type="heading.default"> <p class="elementor-heading-title elementor-size-default">Blog article</p> </div> <div class="elementor-element elementor-element-41550d0 elementor-widget elementor-widget-text-editor" data-id="41550d0" data-element_type="widget" data-widget_type="text-editor.default"> <h1 id="paypal-email-scam-how-the-subscriptions-loophole-worked">PayPal email scam: How the subscriptions loophole worked</h1> </div> <div class="elementor-element elementor-element-e3b237e elementor-widget elementor-widget-image" data-id="e3b237e" data-element_type="widget" data-widget_type="image.default"> <img fetchpriority="high" decoding="async" width="800" height="470" src="https://sendmarc.com/wp-content/uploads/Paypal-email-scam-Blog-Inline-Image-1-1024x601.jpg" class="attachment-large size-large wp-image-42124" alt="Paypal email scam - Blog Inline Image" title="PayPal email scam: How it worked before the fix 2"> </div> <div class="elementor-element elementor-element-4a745f3 elementor-widget elementor-widget-text-editor" data-id="4a745f3" data-element_type="widget" data-widget_type="text-editor.default"> <p>In December 2025, a new PayPal email scam stood out for one reason: The messages didn’t just look authentic – they were genuinely sent from PayPal’s infrastructure and arrived from <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="52213720243b31371222332b22333e7c313d3f">[email protected]</a>.</p> <p>That made this campaign far more convincing than the usual lookalike-domain phishing attempts. Instead of spoofing PayPal’s domain, scammers abused PayPal subscriptions to trigger legitimate notification emails, then used those messages to display fake “purchase” details and a phone number designed to lure recipients into a callback scam.</p> <p>Attackers don’t always need to spoof a sender to get clicks or calls – they can also abuse trusted services to deliver convincing messages. But spoofing remains a major risk for companies: If your domain can be faked, scammers can impersonate your brand and reach inboxes at scale.</p> <p>To make that harder, you need strong email authentication: Sender Policy Framework (<a href="https://sendmarc.com/spf/">SPF</a>), DomainKeys Identified Mail (<a href="https://sendmarc.com/dkim/">DKIM</a>), and Domain-based Message Authentication, Reporting, and Conformance (<a href="https://sendmarc.com/dmarc/">DMARC</a>).</p> <p><strong>Book a demo to see how Sendmarc helps you enforce DMARC safely, monitor SPF and DKIM alignment, and spot spoofing and misconfigurations before they become incidents.</strong></p> </div> <div class="elementor-element elementor-element-55e8e53 elementor-align-center elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="55e8e53" data-element_type="widget" data-widget_type="button.default"> <a class="elementor-button elementor-button-link elementor-size-sm" href="https://sendmarc.com/contact/"><br> <span class="elementor-button-content-wrapper"><br> <span class="elementor-button-text">Book a demo</span><br> </span><br> </a> </div> <div class="elementor-element elementor-element-312a140 elementor-widget elementor-widget-text-editor" data-id="312a140" data-element_type="widget" data-widget_type="text-editor.default"> <h2 id="how-the-paypal-email-scam-worksthis-paypal-email-scam-started-with-a-legitimate-paypal-process-that-was-twisted-into-a-fraudulent-notification-bleepingcomputer-reported-that-scammers-used-paypal">How the PayPal email scam works</h2> <p>This PayPal email scam started with a legitimate PayPal process that was twisted into a fraudulent notification.</p> <p>BleepingComputer reported that scammers used PayPal’s “Subscriptions” billing feature to create a subscription and then pause it. That pause triggers PayPal’s real notification email: “Your automatic payment is no longer active.”</p> <p>Inside the email, the attackers abused the “Customer service URL” field. Instead of a clean support link, the field displayed text that looked like a URL, followed by a fake purchase confirmation and a phone number to “cancel” the payment. Attackers also used a fake subscriber account (likely a Google Workspace mailing list) to automatically forward incoming messages to group members.</p> <p>BleepingComputer’s example included a fake high-value charge and an unsolicited support number. The message also used Unicode characters to make parts of the text appear bold or visually unusual, which can help it dodge spam filters and keyword-based detection.</p> <p>The goal wasn’t to steal your PayPal password in a browser. It was to get a person to call, panic, and follow instructions that lead to remote access, malware, or financial fraud.</p> <h2>What to do if you receive a suspicious PayPal email</h2> <p>Similar scams keep resurfacing in new forms. The safest approach is to treat any unexpected “purchase” or “urgent action” email as untrusted until you verify it through official channels.</p> <h3><strong>Here is what to do:</strong></h3> <ul class="cross"> <li>Do not call phone numbers in the email, and don’t click through unexpected links.</li> </ul> <ul class="check"> <li>Log in to PayPal directly (type the address or use the app) and check your recent activity.</li> <li>If the message looks suspicious, forward it to <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6b1b0302180302050c2b1b0a121b0a0745080406">[email protected]</a> and delete it.</li> </ul> <p>If you manage an organization, alert your help desk so other employees don’t follow the callback instructions.</p> <h3><strong>Safe verification checklist</strong></h3> <table> <tbody> <tr> <td width="349"><strong>Verify this</strong></td> <td width="349"><strong>Safe action</strong></td> </tr> <tr> <td width="349">Was there actually a transaction?</td> <td width="349">Check in the PayPal app/site (not the email)</td> </tr> <tr> <td width="349">Does the email push you to call?</td> <td width="349">Ignore the number and use official support paths</td> </tr> <tr> <td width="349">Is the message unexpected or urgent?</td> <td width="349">Treat it as suspicious until verified</td> </tr> </tbody> </table></div> <div class="elementor-element elementor-element-ed9b51e elementor-widget elementor-widget-text-editor" data-id="ed9b51e" data-element_type="widget" data-widget_type="text-editor.default"> <h2 id="paypals-response-loophole-closed-in-december-2025paypal-told-bleepingcomputer-it-was-actively-mitigating-the-matter-sayingwe-are-actively-mitigating-this-matter-and-encourage-peo">PayPal’s response: Loophole closed in December 2025</h2> <p>PayPal told BleepingComputer it was <a class="external" href="https://www.bleepingcomputer.com/news/security/beware-paypal-subscriptions-abused-to-send-fake-purchase-emails/" rel="noopener">actively mitigating the matter</a>, saying,</p> <blockquote> <p>“We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages.</p> <p>If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance.”</p> </blockquote> <p>After BleepingComputer’s investigation, it was reported that PayPal closed the loophole that allowed scammers to send legitimate emails from <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d5a6b0a7a3bcb6b095a5b4aca5b4b9fbb6bab8">[email protected]</a> containing fake purchase notifications.</p> <p>Even with a fix in place, this is a useful reminder for security teams: Attackers will keep looking for ways to exploit trusted channels and human urgency. That is why businesses can’t rely on brand recognition alone. You also need to ensure your own domain can’t be impersonated.</p> <h2>Make it harder to spoof your company with DMARC</h2> <p>DMARC tells mailbox providers what to do when an email claims to come from your domain, but fails authentication checks.</p> <p><strong>When DMARC is properly implemented and enforced:</strong></p> <ul class="check"> <li>Spoofed emails that pretend to be from your organization are far more likely to be <a href="https://sendmarc.com/dmarc/policy/">quarantined or rejected</a>.</li> <li>You get reporting that shows which systems are sending as your domain and where authentication fails.</li> <li>You reduce the chance of your domain being used in impersonation attempts and protect your brand reputation.</li> </ul> <p>A practical path is to get SPF and DKIM working reliably across all legitimate senders, then move DMARC from monitoring to enforcement – aiming for <em>p=reject</em> once you’ve validated your sending sources.</p> <p>Sendmarc helps you do that without guesswork by mapping your real sending landscape, flagging misalignment and unknown senders early, and supporting safe progression to enforcement.</p> <p><strong>Book a demo to see how DMARC enforcement, monitoring, and real-time alerts can make your business significantly harder to spoof.</strong></p> </div> <div class="elementor-element elementor-element-69ef494 elementor-align-center elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="69ef494" data-element_type="widget" data-widget_type="button.default"> <a class="elementor-button elementor-button-link elementor-size-sm" href="https://sendmarc.com/contact/"><br> <span class="elementor-button-content-wrapper"><br> <span class="elementor-button-text">Book a demo</span><br> </span><br> </a> </div> </div> </div> </div><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/01/paypal-email-scam-how-it-worked-before-the-fix/" data-a2a-title="PayPal email scam: How it worked before the fix"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fpaypal-email-scam-how-it-worked-before-the-fix%2F&amp;linkname=PayPal%20email%20scam%3A%20How%20it%20worked%20before%20the%20fix" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fpaypal-email-scam-how-it-worked-before-the-fix%2F&amp;linkname=PayPal%20email%20scam%3A%20How%20it%20worked%20before%20the%20fix" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fpaypal-email-scam-how-it-worked-before-the-fix%2F&amp;linkname=PayPal%20email%20scam%3A%20How%20it%20worked%20before%20the%20fix" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fpaypal-email-scam-how-it-worked-before-the-fix%2F&amp;linkname=PayPal%20email%20scam%3A%20How%20it%20worked%20before%20the%20fix" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F01%2Fpaypal-email-scam-how-it-worked-before-the-fix%2F&amp;linkname=PayPal%20email%20scam%3A%20How%20it%20worked%20before%20the%20fix" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://sendmarc.com">Sendmarc</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Kiara Saloojee">Kiara Saloojee</a>. Read the original post at: <a href="https://sendmarc.com/blog/paypal-email-scam/">https://sendmarc.com/blog/paypal-email-scam/</a> </p>

Most Popular

PayPal email scam: How it worked before the fix

  • None -- securityboulevard.com
  • Published date: 2026-01-08 00:00:00 UTC

Zero-Knowledge Compliance: How Privacy-Preserving Verification Is Transforming Regulatory Technology

  • Devin Partida -- securityboulevard.com
  • Published date: 2026-01-08 00:00:00 UTC

Attackers Don’t Guess and Defenders Shouldn’t Either

  • Jon Baker -- securityboulevard.com
  • Published date: 2026-01-08 00:00:00 UTC

How does Agentic AI adapt to changing security needs?

  • None -- securityboulevard.com
  • Published date: 2026-01-08 00:00:00 UTC

The Silent Scourge: A Call to Action Against Burnout in Cybersecurity

  • Greg Sullivan -- securityboulevard.com
  • Published date: 2026-01-08 00:00:00 UTC