Jump to content
Login new information ×
Giveaway Contest ×
Login new information
Giveaway Contest
  • Security & Privacy News

    Beware: PayPal subscriptions abused to send fake purchase emails

    Karlston

    By Karlston,
    Published Date:

    • 2 comments
    • 432 views
    • 5 minutes
     Share
    • 2 comments
    • 432 views
    • 5 minutes

    An email scam is abusing abusing PayPal’s "Subscriptions" billing feature to send legitimate PayPal emails that contain fake purchase notifications embedded in the Customer service URL field.

     

    Over the past couple of months, people have reported [1, 2] receiving emails from PayPal stating, "Your automatic payment is no longer active." 

     

    The email includes a customer service URL field that was somehow modified to include a message stating that you purchased an expensive item, such as a Sony device, MacBook, or iPhone.

     

    This text includes a domain name, a message stating that a payment of $1,300 to $1,600 was processed (the amount varies by email), and a phone number to cancel or dispute the payment. The text is filled with Unicode characters that make portions appear bold or in an unusual font, a tactic used to try and evade spam filters and keyword detection.

     

    "http://[domain] [domain] A payment of $1346.99 has been successfully processed. For cancel and inquiries, Contact PayPal support at +1-805-500-6377," reads the customer service URL in the scam email.

     

    PayPal subscription email used in scam
    PayPal subscription email used in scam
    Source: BleepingComputer

    While this is clearly a scam, the emails are being sent directly by PayPal from the address "[email protected]," leading people to worry their accounts may have been hacked.

     

    Furthermore, as the emails are legitimate PayPal emails, they are bypassing security and spam filters. In the next section, we will explain how scammers send these emails.

     

    The goal of these emails is to trick recipients into thinking their account purchased an expensive device and scare them into calling the scammer's "PayPal support" phone number.

     

    Emails like these have historically been used to convince recipients to call a number to conduct bank fraud or trick them into installing malware on their computers.

     

    Therefore, if you receive a legitimate email from PayPal stating your automatic payment is no longer active, and it contains a fake purchase confirmation, ignore the email and do not call the number.

     

    If you are concerned that your PayPal account was compromised, log in to your account and confirm that there was no charge.

    How the PayPal scam works

    BleepingComputer was sent a copy of the email from someone who received it and found it strange that the scam originated from the legitimate "[email protected]" email address.

     

    Furthermore, the email headers indicate that the emails are legitimate, pass DKIM and SPF email security checks, and originate directly from PayPal's "mx15.slc.paypal.com" mail server, as shown below. 

    ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=pp-dkim1 header.b="AvY/E1H+";
       spf=pass (google.com: domain of [email protected] designates 173.0.84.4 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
Received: from mx15.slc.paypal.com (mx15.slc.paypal.com. [173.0.84.4])
        by mx.google.com with ESMTPS id a92af1059eb24-11dcb045a3csi5930706c88.202.2025.11.28.09.14.49
        for 
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 28 Nov 2025 09:14:49 -0800 (PST)

    After testing various PayPal billing features, BleepingComputer was able to replicate the same email template by using PayPal's "Subscriptions" feature and pausing a subscriber.

     

    PayPal subscriptions are a billing feature that lets merchants create subscription checkout options for people to subscribe to a service for a specified amount. 

     

    When a merchant pauses a subscriber's subscription, PayPal will automatically email the subscriber to notify them that their automatic payment is no longer active.

     

    However, when BleepingComputer attempted to replicate the scam by adding text other than a URL to the Customer Service URL, PayPal would reject the change as only a URL is allowed.

     

    Therefore, it appears the scammers are either exploiting a flaw in PayPal's handling of subscription metadata or using a method, such as an API or legacy platform not available in all regions, that allows invalid text to be stored in the Customer service URL field.

     

    Now that we know how they generate the email from PayPal, it's still unclear how it's being sent to people who didn't sign up for the PayPal subscription.

     

    The mail headers show that PayPal is actually sending the email to the address "[email protected]," which we believe is the email address associated with a fake subscriber created by the scammer.

     

    This account is likely a Google Workspace mailing list, which automatically forwards any email it receives to all other group members. In this case, the members are the people the scammer is targeting.

     

    This forwarding can cause all subsequent SPF and DMARC checks to fail, since the email was forwarded by a server that was not the original sender.

     

    When BleepingComputer contacted PayPal to ask if this issue was fixed, they declined to comment and shared the following statement instead.

     

    "PayPal does not tolerate fraudulent activity and we work hard to protect our customers from consistently evolving scam tactics," PayPal told BleepingComputer.

     

    "We are aware of this phishing scam and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance."

     

    Source

    Hope you enjoyed this news post. Feedback welcome.

    Posted Monday 15 December 2025 at 3:22 am AEST (my time).

    News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of November): 5,412

    RIP Matrix

    • scarabou and lurch234
    • Like 2
     Share
    Go to news

    User Feedback

    Recommended Comments

    lurch234

    And this is where having a brain (that's being used adequately...) prevails over scams and AVs. 

     

    I am aware of what I purchase and it's not some email that's going to tell me otherwise.

     

    I've received my share of scams and the ones that seemed plausible I went to check directly in my bank account and/or PayPal.

     

    I take no chances whatsoever! When I use PayPal on some website, I don't enter my login nfo in the popup that site gives me. I go to my PayPal account and login from there.

    Link to comment
    Share on other sites
    andy2004

     

    I had a email from paypal once demanding that I pay for an Iphone 14 that i never ordered. well it was called a Seller demand, so i looked up the paypal phone number..<not the one on the email, and i phoned them to say IT WAS A SCAM. And was told that they PAYPAL COULDNT REMOVE / remove the request for said monies from my account unless the SCAMMER / person requesting the money changed their mind.

     

    Paypal wasnt interested in the slightest that I never ordered from that person, I still to this day dont know whether the scam was via ebay or amazon or some other site that uses paypal.. 8 months it took before the SCAMMER decided that I wasnt going to pay and try their luck with someone else. The fact I told paypal i was going to de-activate my account because of their IN-action against the scammer didnt phase them either, so how did i de-activate my account.. simple.. i went into my paypal account and removed my bank details. removed my account from paypal account from the payment method of ebay.

     

    When i need to buy something i now use a card direct with ebay. pre-payment. 4 years and counting since i last used paypal..

     

    Note: if you happen to be claiming univseral credit in the UK.. the jobcentre may ask you when you give them your account information and tell them how much money you have in your bank account.. to make sure your not being over paid.. the reason i post that is IF you tell them you have a paypal account.. ie for buying via ebay not as a seller and money gets paid into it.. they will ask you for a print out of that aswell. Which if your unlucky you wont be able to provide and they will hassle you until you do.. 4months of ME telling them that the LINK they told me to click DIDNT WORK or by going onto the site and searching trying everything to get said INFORMATION, it seems paypal dont like people being able to use that feature.. as a married couple found out..

     

    the wife was able to print out the information just like that.. the husband, same computer, connection, but His login information for his account and NO GO. as he posted on the paypal forum.

    Link to comment
    Share on other sites


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...