Beware PayPal users: a genuine-looking email from @paypal.com domain might actually be a scam

It seems like there’s a scary new PayPal scam doing the rounds and it might just be good enough to fool just about anyone. It involves using real emails from PayPal’s own email address, [email protected], to trick unsuspecting people. These messages look so convincing that they’re slipping right past spam filters and tricking even cautious folks. Here’s what’s happening and how you can stay safe.

The emails tell users that a new address has been added to their account and even include a fake purchase confirmation for a pricey item like a MacBook M4. The goal is to scare recipients into calling a phone number that leads to a scammer and ultimately gives them remote access to the victim’s computer. Here’s a screenshot shared on Reddit of the email:

However, users who have received this email say no changes were made to their PayPal accounts. In some cases, the email was sent to an address that does not even belong to a PayPal account.

Lawrence Abrams from BleepingComputer explained how the scammers took advantage of PayPal’s “new address” feature. In that address field, they sneak in a fake purchase confirmation. When PayPal sends out its usual email to confirm the new address, that fake message tags along.

To make it worse, the scammers use a trick with email forwarding. They set up a mailing list through Microsoft 365 and have the PayPal email sent there. Then, that list blasts the email out to tons of people, including you, even if it’s not your account. Since it’s a real PayPal email, it sails through security checks without a hitch.

The danger kicks in when you call that phone number. You’ll hear a recording pretending to be PayPal support, and soon, someone picks up. They’ll tell you your account’s been hacked and urge you to download software to fix it. That software, something like AnyDesk, lets them take over your computer. Once they’re in, they can grab your money, plant malware, or steal personal info.

This mess happens because PayPal lets people put long messages in the address fields. If they capped it at, say, 50 characters, scammers couldn’t sneak in these fake notes. Until PayPal fixes that, you’ve got to be on guard.

In December last year, we also highlighted a similar scam, however, it involved a text message targeting iPhone users. It too relied on scaring users into calling a number because the text said the person was charged over a hundred dollars for an item. So trust your gut — if something feels fishy, double-check it the safe way.