Cybercriminals have found a way to misuse PayPal’s subscription billing system to send compelling scam emails that appear to come directly from PayPal, tricking recipients into believing they have made expensive purchases they never authorized.
Over the past few months, users have reported receiving emails from PayPal with the subject line stating that their “automatic payment is no longer active,” a message PayPal normally sends when a subscription is paused. At first glance, the message looks routine. The real problem is what’s concealed within the email.
What is Happening?
However, the “Customer service URL” field in the email has been manipulated to display a fake purchase confirmation. The text claims that a costly item — such as a MacBook, iPhone, or Sony device — was purchased, often listing charges between $1,300 and $1,600.
A phone number is included, urging recipients to call “PayPal support” immediately to cancel or dispute the transaction. To make the message stand out and evade spam filters, the message is padded with special Unicode characters that alter fonts and spacing, and may help it slip past spam and keyword filters.
“http://[domain] [domain] A payment of $1346.99 has been successfully processed. For cancel and inquiries, Contact PayPal support at +1-805-500-6377,” reads the customer service URL in the scam email.
While the purchase notice looks alarming, the most deceptive part is the sender itself. What makes the scam particularly dangerous is that the emails are sent from PayPal’s legitimate address, “[email protected],” and pass all major email authentication checks, including SPF, DKIM, and DMARC.
Email headers confirm the messages originate from PayPal servers, allowing them to bypass security filters and appear fully trustworthy. This legitimacy has led many recipients to believe their accounts were compromised, prompting panic-driven calls to the listed phone number — where scammers attempt to steal banking details, capture login credentials, or trick victims into installing remote access software. While phone-based fraud is not new, using PayPal’s own systems to deliver these messages marks a troubling escalation.
Security researchers at BleepingComputer investigated the campaign and confirmed that the emails originate directly from PayPal’s infrastructure. By abusing PayPal’s Subscriptions feature, they were able to recreate the same email template. When a merchant pauses a subscription, PayPal automatically sends a notification email to the subscriber stating that their automatic payment has stopped.
Under normal circumstances, PayPal restricts the Customer Service URL field to valid web addresses. Attempts to insert plain text are rejected. This suggests attackers are either exploiting a flaw in how PayPal processes subscription metadata or using a legacy interface or API that allows invalid text to be inserted.
Email headers also reveal how the scam reaches people who never signed up for a subscription. The emails are first sent to an address controlled by the attacker — likely a Google Workspace mailing list — which then forwards the message to multiple victims.
PayPal Response
PayPal has acknowledged the issue and says it is actively addressing the abuse. “PayPal does not tolerate fraudulent activity and we work hard to protect our customers from consistently evolving phishing scams,” the company said in a statement to BleepingComputer.
“We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance.”
What Users Should Do
Customers who receive a PayPal email claiming that their automatic payment is no longer active and includes a surprise purchase should refrain from calling the phone number in the message. Instead, log in to their PayPal account directly to verify whether any charges were made. Even when an email looks legitimate, it’s always safer to check from the source rather than react in haste.
