Attackers are using a PayPal billing feature to deliver convincing emails that appear to confirm large purchases.
Security researchers reported a phishing campaign that exploits PayPal’s subscription notification system to send legitimate PayPal emails containing fake purchase messages. According to BleepingComputer, the emails are sent from PayPal’s official service@paypal.com address and warn recipients that an automatic payment was cancelled. The message includes manipulated text inside the customer service URL field that claims a costly device purchase was processed and urges recipients to call a phone number to dispute the charge.
The scam works because the emails are generated by PayPal’s own infrastructure and pass standard authentication checks, including SPF, DKIM, and DMARC. Investigators were able to reproduce the message format by creating and pausing a PayPal subscription, which triggers an automatic notification to the subscriber. The customer service URL field appears to be abused to insert non-URL text, including fake transaction amounts and phone numbers, possibly through an API or legacy interface that allows invalid metadata. In many cases, the messages are forwarded through mailing list-style email accounts, which helps distribute the scam to multiple recipients who never signed up for the subscription.
PayPal confirmed that its systems were used to send the emails, but stated that customer accounts were not compromised. The company said it does not tolerate fraudulent activity and is actively mitigating the method used to inject misleading text into subscription notifications. PayPal advised users to avoid calling phone numbers listed in unexpected emails and to verify account activity by logging in directly through the PayPal app or official website. The company reiterated that it does not request sensitive information through unsolicited messages.
Campaigns like this expose a growing blind spot in email security. When phishing messages are delivered through legitimate platforms like PayPal, traditional defenses fail because the emails pass every technical check. The sender is real. The infrastructure is trusted. Nothing looks “malicious” on the surface.
That is exactly why phishing remains the most common entry point for fraud. Attackers no longer need fake domains or broken grammar. They manipulate trusted notification systems and rely on human reaction instead. Paubox’s inbound email security is designed for this shift. Rather than relying on reputation or signature-based filtering, it assesses message intent, context, and social engineering signals. That allows it to flag emails that appear legitimate at the infrastructure level but don’t make sense in context, such as unexpected billing alerts designed to provoke panic or push recipients into calling a fraudulent support number.
They are generated and sent by PayPal’s real email systems, which makes them pass authentication checks and appear trustworthy to recipients.
No. The messages are sent through abused subscription workflows, not through compromised user accounts.
They should ignore the message, avoid calling any listed phone numbers, and log in directly to PayPal to confirm that no charges occurred.
Phone-based scams enable attackers to pressure victims into sharing information or installing software without relying on web-based phishing pages.
They can verify transactions only through official apps or bookmarked sites, be cautious of unexpected billing notices, and remember that legitimate companies do not demand immediate action by phone.