A new email scam is abusing PayPal’s subscription system to send fake purchase alerts through real PayPal emails.

The issue was first reported by BleepingComputer, which investigated how scammers are using PayPal’s own systems to make the messages look legitimate.

Over the past few months, many users have received emails from PayPal saying, “Your automatic payment is no longer active.” On the surface, the email looks normal and comes directly from PayPal’s official address, [email protected]. This has caused confusion and fear, with some people worrying that their PayPal accounts were hacked.

The scam hides inside the customer service URL section of the email. Instead of a normal website link, that field contains a fake message claiming an expensive item was purchased. The message usually mentions a product like a MacBook, iPhone, or Sony device and states that a payment between $1,300 and $1,600 has been processed. It then urges the recipient to call a phone number to cancel or dispute the charge.

The text is often filled with unusual symbols and Unicode characters to make parts of it stand out and to help bypass spam filters. The phone number does not belong to PayPal. It connects to scammers pretending to be PayPal support.

What makes this scam especially dangerous is that the emails are genuinely sent by PayPal. As documented by BleepingComputer, the messages pass standard email security checks such as SPF, DKIM, and DMARC and are sent from PayPal’s own mail servers. Because of this, many email providers do not flag them as suspicious.

READ
Google Helps Dismantle NetNut Botnet That Hijacked Millions of Android Devices

According to BleepingComputer’s testing, scammers appear to be misusing PayPal’s subscription feature. When a merchant pauses a subscription, PayPal automatically sends an email to notify the subscriber that the automatic payment is no longer active. Scammers are somehow modifying the customer service URL field to include fake purchase text, even though PayPal normally restricts this field to valid URLs. This suggests a flaw or an abuse of an older or limited system.

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=pp-dkim1 header.b="AvY/E1H+";
       spf=pass (google.com: domain of [email protected] designates 173.0.84.4 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
Received: from mx15.slc.paypal.com (mx15.slc.paypal.com. [173.0.84.4])
        by mx.google.com with ESMTPS id a92af1059eb24-11dcb045a3csi5930706c88.202.2025.11.28.09.14.49
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 28 Nov 2025 09:14:49 -0800 (PST)

It is still unclear how these emails are reaching people who never signed up for any PayPal subscription. BleepingComputer believes scammers create fake subscriber email addresses that forward PayPal’s emails to many victims at once, likely using a mailing list setup. This allows the scam to spread widely while keeping the original PayPal email intact.

The purpose of the scam is to scare people into calling the fake support number. Once on the call, victims may be pressured into sharing banking details or installing software that gives scammers access to their computer.


Buy ExpressVPN with PayPal or Credit Card

PayPal has confirmed to BleepingComputer that it is aware of the issue and is actively working to stop this method of abuse. The company advises users to stay cautious with unexpected emails and to contact PayPal only through its official app or website.

READ
Apple Hide My Email Bug Reportedly Exposes Users' Real Email Addresses
Advertisement