If you think you’ve seen every trick in a scammer’s playbook, cybercriminals have just added a fresh new chapter. This time, they’re coming for your PayPal account with a devilishly clever trick that makes the whole thing look completely legit.
Because the email you’re getting is actually from PayPal. It passes through your spam filters, looks official, and comes straight from the fintech company’s servers.
The hack that shouldn’t work, but does
According to security researchers at Cofense and a detailed investigation by Bleeping Computer, scammers have figured out how to weaponize PayPal’s own subscription billing system against users.
They’re not spoofing emails. They’re abusing PayPal’s own system to trigger genuine automated notifications that carry their malicious payload.
How are they able to pull this off when it clearly requires some level of sophistry, though? Scammers create bogus PayPal subscriptions, direct the notifications to a controlled email address tied to a mailing list or group, and then pause the subscription. This triggers PayPal’s legitimate “Your automatic payment is no longer active” emails, which get forwarded to everyone on the list, complete with the injected scam content.
The truly diabolical part is that they’re exploiting a flaw (or rather a legacy quirk) in how PayPal handles subscription metadata, specifically the “Customer service URL” field, by stuffing it with text that displays fake purchase details (like a $1,300+ charge for an expensive device) along with a fraudulent number to call “to dispute or cancel” the transaction.
The goal is ultimately to panic victims into calling fraudsters who then run tech support scams, often gaining remote access to devices, stealing credentials, and draining accounts.
PayPal responds
After security researchers at Cofense and Bleeping Computer sounded the alarm on the attack, PayPal issued the following statement: “PayPal does not tolerate fraudulent activity, and we work hard to protect our customers from consistently evolving phishing scams. We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages.”
How to protect yourself
If you get any email from PayPal about a paused subscription or billing issue, don’t click the links. Instead, open your browser, type in PayPal.com manually, and log in directly. If there’s a legitimate issue, you’ll see it when you’re safely logged in.
Enable two-factor authentication: When hackers steal your password, 2FA is typically the only thing standing between them and your bank account.
Use a passkey if possible: PayPal now supports passkeys, which are significantly more secure than traditional passwords and virtually impossible for scammers to phish.
Check your subscriptions regularly: Log into your PayPal account once a month and review your active subscriptions, and if you see anything you don’t recognize, cancel it immediately.
Be especially vigilant during the holidays: Scammers ramp up attacks during the shopping season because they know everyone’s distracted and clicking through emails quickly.
The bigger picture
This PayPal scam is especially worrying because it represents an evolution in cybercrime tactics. Instead of trying to impersonate PayPal, hackers are essentially hijacking PayPal’s own communication infrastructure. It’s like a burglar who doesn’t pick your lock; they just trick you into opening the door for them.
The tactics are similar across the board; Google users, Microsoft accounts, Apple IDs, Amazon profiles, basically anyone with a major online presence is currently in the crosshairs. The holiday season is prime hunting time for these digital predators, and they’re getting more sophisticated by the day.
The frustrating reality is that even if you do everything right, strong passwords, two-factor authentication, and security software, you can still be vulnerable to attacks that exploit legitimate systems. That’s why the most important security tool you have isn’t software at all. It’s skepticism.
Source: Forbes