New PayPal scam uses real emails to trick you

You might get a message like, "You added a new address. This is just a quick confirmation that you added in your PayPal account."

Exploiting real features: Scammers abuse PayPal's "add address" or "money request" tools. By entering your email, they can trigger real emails from PayPal's real domain. And this works even if you don't have a PayPal account.

Bypassing filters: Because these emails come directly from PayPal's servers (service@paypal.com), they pass all security checks and appear legitimate in your inbox.

Lack of suspicion: Some versions contain no phishing links at all, just a scammer's phone number, making them even harder to detect.

Panic bait: The message often claims a new address was added, or a large payment is being processed, getting your attention and provoking a quick reaction.

Follow-up attacks: After the initial email, scammers may later contact you pretending to be PayPal support. Some urge you to click a link to "secure your account", which leads to a fake login page designed to steal your credentials. 

In a newer and more sophisticated twist, scammers are removing links altogether. Instead, they include a phone number and ask you to call. Once you do, you're connected with a fake PayPal representative who says they need to verify your identity. They then instruct you to download what appears to be a PayPal-branded support tool, but really it's a customized remote access app hosted on a different server. And once it's installed, it gives the scammer full access to your device.

This part is still a bit of a mystery. With typical PayPal invoice scams, content is tightly controlled, which means you normally can't change the email structure or messaging. However, these new emails suggest that scammers may be exploiting internal features, like business tools or API fields, to sneak custom content into PayPal-generated alerts. It's not just phishing, it's weaponizing a legitimate system to create trust and evade detection.

This scam is especially effective and dangerous because the emails come directly from PayPal's official servers, making it difficult to distinguish them from legitimate messages. Since the sender address and branding are authentic, recipients are more likely to trust the communication without suspicion.

The scammers also use urgent language that creates a sense of panic, such as warnings about unauthorized activity or large charges. This pressure encourages people to act quickly and often before fully considering whether the alert is genuine.

Additionally, the scam often involves follow-up contact through calls or texts from individuals posing as PayPal personnel, further exploiting the initial confusion and increasing the chances of victims giving up sensitive information.

Even if you're vigilant, you can still be targeted. Here's how to stay safe:

This phishing scam is dangerous because it uses real PayPal emails sent from service@paypal.com. Scammers exploit PayPal's built-in features to send real notifications that look legitimate. What makes it especially sneaky is the absence of links, Instead, these emails include a phone number, making them more likely to pass through spam filters. When you call, you're connected to a fake PayPal rep who pressures you into downloading a remote access tool disguised as support software. The safest move? Don't click, don't call. Just go straight to PayPal.com and check your account manually.

Follow Kurt on his social channels

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com.  All rights reserved.