PayPal email scam: How the subscriptions loophole worked

In December 2025, a new PayPal email scam stood out for one reason: The messages didn’t just look authentic – they were genuinely sent from PayPal’s infrastructure and arrived from [email protected].

That made this campaign far more convincing than the usual lookalike-domain phishing attempts. Instead of spoofing PayPal’s domain, scammers abused PayPal subscriptions to trigger legitimate notification emails, then used those messages to display fake “purchase” details and a phone number designed to lure recipients into a callback scam.

Attackers don’t always need to spoof a sender to get clicks or calls – they can also abuse trusted services to deliver convincing messages. But spoofing remains a major risk for companies: If your domain can be faked, scammers can impersonate your brand and reach inboxes at scale.

To make that harder, you need strong email authentication: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Book a demo to see how Sendmarc helps you enforce DMARC safely, monitor SPF and DKIM alignment, and spot spoofing and misconfigurations before they become incidents.

How the PayPal email scam works

This PayPal email scam started with a legitimate PayPal process that was twisted into a fraudulent notification.

BleepingComputer reported that scammers used PayPal’s “Subscriptions” billing feature to create a subscription and then pause it. That pause triggers PayPal’s real notification email: “Your automatic payment is no longer active.”

Inside the email, the attackers abused the “Customer service URL” field. Instead of a clean support link, the field displayed text that looked like a URL, followed by a fake purchase confirmation and a phone number to “cancel” the payment. Attackers also used a fake subscriber account (likely a Google Workspace mailing list) to automatically forward incoming messages to group members.

BleepingComputer’s example included a fake high-value charge and an unsolicited support number. The message also used Unicode characters to make parts of the text appear bold or visually unusual, which can help it dodge spam filters and keyword-based detection.

The goal wasn’t to steal your PayPal password in a browser. It was to get a person to call, panic, and follow instructions that lead to remote access, malware, or financial fraud.

What to do if you receive a suspicious PayPal email

Similar scams keep resurfacing in new forms. The safest approach is to treat any unexpected “purchase” or “urgent action” email as untrusted until you verify it through official channels.

Here is what to do:

Do not call phone numbers in the email, and don’t click through unexpected links.

Log in to PayPal directly (type the address or use the app) and check your recent activity.
If the message looks suspicious, forward it to [email protected] and delete it.

If you manage an organization, alert your help desk so other employees don’t follow the callback instructions.

Safe verification checklist

Verify this	Safe action
Was there actually a transaction?	Check in the PayPal app/site (not the email)
Does the email push you to call?	Ignore the number and use official support paths
Is the message unexpected or urgent?	Treat it as suspicious until verified

PayPal’s response: Loophole closed in December 2025

PayPal told BleepingComputer it was actively mitigating the matter, saying,

“We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages.
If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance.”

After BleepingComputer’s investigation, it was reported that PayPal closed the loophole that allowed scammers to send legitimate emails from [email protected] containing fake purchase notifications.

Even with a fix in place, this is a useful reminder for security teams: Attackers will keep looking for ways to exploit trusted channels and human urgency. That is why businesses can’t rely on brand recognition alone. You also need to ensure your own domain can’t be impersonated.

Make it harder to spoof your company with DMARC

DMARC tells mailbox providers what to do when an email claims to come from your domain, but fails authentication checks.

When DMARC is properly implemented and enforced:

Spoofed emails that pretend to be from your organization are far more likely to be quarantined or rejected.
You get reporting that shows which systems are sending as your domain and where authentication fails.
You reduce the chance of your domain being used in impersonation attempts and protect your brand reputation.

A practical path is to get SPF and DKIM working reliably across all legitimate senders, then move DMARC from monitoring to enforcement – aiming for p=reject once you’ve validated your sending sources.

Sendmarc helps you do that without guesswork by mapping your real sending landscape, flagging misalignment and unknown senders early, and supporting safe progression to enforcement.

Book a demo to see how DMARC enforcement, monitoring, and real-time alerts can make your business significantly harder to spoof.