Paperless Post Scam Email: How Fake “Invitation” Links Steal Your Password
Written by: Thomas Orsolya
Published on:
Phishing emails impersonating Paperless Post invitations are circulating, and they are designed to steal login credentials, especially for high-value accounts like your email inbox.
These messages often look convincing because they mimic real invitation language and branding. In many cases, they appear to come from someone you know because the sender’s email account has already been compromised and is being used to distribute the scam.
The goal is simple: get you to click a “View Invitation” or “Open Card” link, land on a fake sign-in page, and enter your password. Once attackers have access to your email, they can reset other passwords, message your contacts, and expand the scam quickly.
This guide explains what these Paperless Post scam emails look like, how the operation works step by step, and what to do immediately if you clicked or entered any information.
Scam Overview
Paperless Post is a legitimate service used for online invitations, greeting cards, and event announcements. That real-world credibility is what makes it attractive to attackers. They mimic the brand, the language, and the “you’ve been invited” format because it lowers your defenses.
A scam email does not need to be perfect. It just needs to feel plausible long enough for you to tap or click.
What makes this scam different from generic phishing
Most phishing emails try to impersonate banks, delivery companies, or streaming services. The Paperless Post style scam has a more personal hook.
It often looks like something sent by a friend, coworker, parent at school, or a family member. The emotional context matters:
You do not want to miss an event.
You assume the sender is real because you recognize the name.
You feel safe because invitations are normal.
That social trust is the lever. Once they have it, the scam is simply a credential theft operation.
The most common goal: your email login
Scammers frequently aim for your email account, not your Paperless Post account.
Why email?
Because email is the master key to your digital life.
If a criminal gets into your email account, they may be able to:
Reset passwords for your bank, PayPal, Amazon, or other shopping accounts
Access private conversations, invoices, and sensitive attachments
Steal contacts and use them to send more phishing emails
Create forwarding rules so they quietly receive your mail
Take over other accounts using “Forgot password” flows
Trick friends and coworkers using believable messages from your real address
Even if you have never used Paperless Post, the scam can still work, because the bait is the invitation. The trap is the login page that follows.
Why the sender is often someone you know
A key feature of this scam is that it often arrives from a real mailbox that has already been compromised.
Attackers commonly:
Break into someone’s email account (through a previous phishing attack, reused password, or malware).
Pull their contact list or recent email threads.
Send “invitation” emails to the victim’s contacts.
That is why the message can feel unusually convincing. It is not always a random spoofed address. Sometimes it is your friend’s actual email account sending real email.
This is also why outbreaks can move fast through workplaces, schools, and families.
Common subject lines and phrases used
Scammers rotate wording, but the themes are consistent. You might see:
“You’re invited”
“You have a Paperless Post invitation”
“You received an eCard”
“Open your invitation”
“A message from [Name]”
“Reminder: invitation waiting”
“Last chance to RSVP”
Inside the email, language often pushes urgency or curiosity:
“View invitation”
“RSVP now”
“See details”
“Open card”
“You have a private message”
“This invitation expires soon”
Even when the writing is slightly awkward, the social context can override your skepticism.
What the email often looks like
Most versions share a similar structure:
A logo or brand-like header
A big button (View Invitation, Open Invitation, RSVP)
A short line suggesting a friend invited you
Sometimes a preview image for the “card” or “invite”
A footer with tiny text meant to look official
Some scammers also copy layout cues that resemble legitimate marketing emails. Others keep it very simple to avoid spam filters.
The link is the real danger
The visible button is usually just a link to a phishing site.
Common tricks include:
A lookalike domain (for example, a domain that includes words like “paperless”, “post”, “invite”, “rsvp”)
A completely unrelated domain hosted on a hacked website
A shortened link that hides the destination
A link that routes through several redirects before landing on the fake page
Once you click, you are taken to a page designed to capture credentials.
What happens after you click
From that point, one of these paths is typical:
Path A: Fake Paperless Post login page The page claims you must log in to see the invitation.
Path B: Fake email provider login page The page claims you must “verify your email” to view the invitation. It may show options like Gmail, Outlook, Microsoft 365, Yahoo, or AOL.
This second path is extremely common because it targets the account that unlocks everything else.
Path C: Fake “security check” or “confirm you’re human” flow This is used to make the page feel legitimate before asking for credentials.
Red flags that strongly suggest a scam
Use this checklist to quickly assess an email claiming to be a Paperless Post invitation.
Red flags in the sender details
The sender’s display name is familiar, but the email address is strange
The sender’s address is a long string of letters and numbers
You see an unexpected “via” address or mismatched domain
The reply-to address differs from the from address
Red flags in the message content
You were not expecting an invitation from this person
The message feels oddly generic, with little context
You are pushed to click immediately (urgent RSVP, expiring link)
The message contains unusual grammar or spacing
Red flags in the link
Hovering over the button shows a domain you do not recognize
The link is shortened (bit.ly, tinyurl) or heavily tracked
The link goes to a non-business domain that has nothing to do with Paperless Post
The link includes random folders and strings that look auto-generated
Red flags on the landing page
The page asks for your email password to view an invitation
The page looks slightly off: blurry logo, odd fonts, misaligned elements
The URL does not match the real company’s domain
The page errors out after you enter credentials, then asks again
That “try again” loop is a classic sign of credential harvesting.
Why this scam is so effective
This type of phishing succeeds because it combines three powerful factors:
Social trust: it appears to come from someone you know.
Low suspicion context: invitations are normal and non-financial.
High value target: the login page aims at email credentials, not a minor account.
It is a clean, scalable operation. A single compromised inbox can send hundreds or thousands of invitations. Even a small success rate can yield profitable access.
What scammers do with stolen credentials
Once credentials are captured, criminals may:
Log into the email account directly
Try the same password on other sites (credential stuffing)
Search the inbox for:
bank-related messages
password reset emails
invoices and payment confirmations
tax documents or identity data
Set up persistence:
forwarding rules to an external address
hidden filters that auto-archive security alerts
adding a recovery email or phone number they control
They may also monetize quickly by making purchases, moving funds, or attempting gift card fraud.
What about Paperless Post accounts and payment details?
Some victims do have Paperless Post accounts. In those cases, scammers may also attempt:
Account takeover to send more scam invitations
Access to saved contact lists
Access to any saved payment methods, if present
More commonly, though, the Paperless Post theme is simply the lure. The real objective is your primary email account or your Microsoft 365 account in a workplace.
Who is most at risk?
Anyone can get targeted, but these groups are hit frequently:
Workplaces using Microsoft 365 or Google Workspace Compromising one mailbox can give attackers a direct path to business data and internal contacts.
Parents and school communities Email lists spread quickly, and event invitations are routine.
Older adults Scammers exploit trust and familiarity. A “card” or “invitation” feels safe.
People with reused passwords If you reuse a password across sites, a single phish can cascade into multiple takeovers.
A safer way to check if an invitation is real
If you suspect the email might be real but you are unsure, use a safe verification approach:
Do not click the email button.
Open your browser and manually type the official Paperless Post site address that you already know, or use a trusted bookmark.
Log in from there.
Check your account notifications or invitations inside the site.
If a friend truly invited you, you can also confirm by texting them or calling them. Use a separate channel, not a reply to the suspicious email.
How The Scam Works
This is the operational flow you are dealing with. While variations exist, most Paperless Post invitation phishing campaigns follow the same playbook.
Step 1: Scammers get access to a real email account
Many campaigns start with account compromise. Attackers obtain login access through:
A previous phishing email (often unrelated to Paperless Post)
Reused passwords leaked from old data breaches
Malware that steals saved browser passwords
Weak security questions or exposed recovery options
Lack of multi-factor authentication (MFA)
Once inside an inbox, the attacker has a trusted identity to abuse.
Step 2: They weaponize the victim’s contact list
After access is gained, the attacker typically collects:
Saved contacts
Recently emailed addresses
Group lists (school groups, workplace teams, clubs)
Thread participants from ongoing conversations
Then they send the Paperless Post themed email to those people.
This is why the email can feel so believable. It may arrive from a real friend’s mailbox with a realistic subject line and a “friendly” tone.
Step 3: The phishing email is designed for quick clicks
The email is engineered for speed, not depth.
It usually includes:
A recognizable brand name
One big call-to-action button
Minimal text so you do not overthink it
A “personal” angle, even if vague
Sometimes scammers also include a name in the body:
“Hi, you’ve been invited by Sarah”
“A message from John”
Even if that name is generic, it nudges you into trust mode.
Step 4: The button sends you to a phishing site
When you click “View Invitation” or similar, you are routed to a website controlled by the attacker or an affiliate scam group.
There are several ways they host this:
A newly registered domain that resembles the brand
A hacked WordPress site with a hidden phishing page
A cloud-hosted page using common platforms
A compromised small business website repurposed for phishing
The page is often mobile-optimized because many victims click from phones.
Step 5: The landing page pushes you into a login prompt
The page usually shows one of these narratives:
Narrative A: “Log in to view your invitation”
This presents a fake Paperless Post style login form.
The goal is to harvest whatever email and password you type.
Narrative B: “Verify your email provider to continue”
This is more dangerous because it targets your email provider directly.
You may see buttons like:
Sign in with Google
Sign in with Microsoft
Sign in with Yahoo
Sign in with AOL
The page is not truly authentic single sign-on. It is a fake page that looks like it.
If you enter your Gmail or Microsoft 365 password here, the attacker gets your email credentials.
Narrative C: “Your session expired, sign in again”
This is a psychological trick.
Even cautious people sometimes think, “Maybe the first login did not work,” and try again, giving the attacker a second clean capture.
Step 6: Credential harvesting happens instantly
As soon as you submit credentials, they are transmitted to the attacker.
Often the site will then:
Redirect you to a blank page
Show an error message
Loop you back to the login form
Redirect you to a real site to reduce suspicion
That final redirect is a common tactic. It creates the illusion that nothing harmful happened.
Step 7: Attackers attempt account takeover
With your credentials, the attacker typically tries to log in immediately.
If MFA is not enabled, takeover can be immediate.
If MFA is enabled, they may try additional tactics:
Prompting you again to enter an MFA code on the phishing page
Using real-time phishing kits that relay credentials and codes instantly
Sending repeated login prompts to annoy you into approving one
Even when MFA is active, phishing still works if the attacker can trick you into giving the one-time code or approving a push notification.
Step 8: They secure persistence inside your email account
Once inside, attackers often set up ways to remain in control even if you notice later.
Common persistence actions include:
Creating forwarding rules Your emails are silently forwarded to an attacker-controlled address.
Creating filters that hide security alerts Messages from “security@” or “no-reply@” addresses may be archived automatically.
Adding a recovery email or phone number So they can regain access if you change your password.
Creating app passwords or connecting third-party access In some systems, attackers create an access method that bypasses normal sign-in checks.
Step 9: They use your account to spread the scam
Once your email is compromised, your account becomes the next launchpad.
Attackers may:
Send Paperless Post themed invitations to your contacts
Reply inside existing email threads to make it more convincing
Send messages that reference real recent conversations
Target your workplace by emailing coworkers and vendors
Thread hijacking is especially dangerous. If a scam email appears inside a real conversation history, many people will click without thinking.
Step 10: Monetization and damage
Once access is stable, attackers decide how to profit:
Stealing gift cards by requesting them from your contacts
Attempting to access financial accounts using password resets
Buying items using stored payment methods in shopping accounts
Performing identity theft using data found in your inbox
Selling account access to other criminal groups
Sometimes you will see small “test charges” on a card, such as $1 or $5, when criminals check whether a payment method works. Not every scam involves direct charges, but monitoring your accounts is still essential if you entered any financial details.
Variations you might see
Scammers adapt constantly. Here are common variations of the Paperless Post themed phishing email:
“You received a card” instead of an invitation
The message implies a greeting card or celebration note.
This works well around holidays, birthdays, and major events.
“Attachment included”
Some versions include a file rather than a link. The file may be:
a PDF that contains a malicious link
an HTML file that opens a fake login page in your browser
a ZIP file containing malware
If you download and open unknown attachments, the risk increases substantially.
“Work account required”
In corporate environments, the page may explicitly push Microsoft 365 login and show company-like branding.
This is a high-impact scenario because business email compromise can lead to invoice fraud and internal data exposure.
How to Spot the Scam Emails: Quick Checklist
Use this fast checklist anytime you receive a “Paperless Post invitation” or “card” email.
1) Attachments: what’s normal vs. what’s a red flag
Red flag: Any message that includes attachments you must download, especially:
.exe
.pdf
.zip
Office files (like .doc, .xls) you were not expecting
What to expect in legitimate emails: Legitimate Paperless Post emails do not include .EXE or .PDF attachments. The only files typically included are embedded image files.
2) Login or download prompts
Red flag: The email says you must:
log in to view the card
“verify your account” first
download a file, app, or “viewer” to open the invitation
enter your email password to see the content
What to expect in legitimate emails: Real Paperless Post emails should not force you to log in or download anything just to view a card or invitation.
3) Who sent it: verify the sender address
Red flag: The message comes from:
a random Gmail/Outlook/Yahoo address
a misspelled domain
a strange “reply-to” address that does not match the sender
an unrelated domain (even if the display name looks right)
Legitimate Paperless Post emails can come from these addresses:
paperless@email.paperlesspost.com
paperlesspost@paperlesspost.com
paperlesspost@accounts.paperlesspost.com
Official support emails can come from these addresses:
agent@paperlesspost.com
help@paperlesspost.com
optout@paperlesspost.com
pds@paperlesspost.com
phishing@paperlesspost.com
privacy@paperlesspost.com
security@paperlesspost.com
support@paperlesspost.com
If the sender address is not on this list, slow down and verify before clicking.
4) Text message links
Red flag: Any text message link that goes to a different domain, uses a link shortener, or looks unrelated.
What to expect in legitimate texts: Real Paperless Post texts include a link that starts with: https://pp.events/
5) Quick “safe move” when unsure
If you are uncertain, do not click the button in the email. Instead:
manually type the site address you trust in your browser, or use a saved bookmark
check your invitations inside your account
confirm with the sender via a separate channel (text or call) if the invite is unexpected
What To Do If You Have Fallen Victim to This Scam
Your response depends on what happened. Do not panic, but do act quickly. The earlier you respond, the more you can contain.
Below is a structured checklist. Follow the steps that match your situation.
1) If you only opened the email but did not click anything
You are likely fine, but do the basics:
Delete the email.
Mark it as phishing or spam in your email client.
If it came from someone you know, contact them through another channel and let them know their account may be compromised.
2) If you clicked the link but did not enter any information
Treat it as a warning shot. Do this:
Close the page immediately.
Clear your browser tab and do not revisit the link.
Run a quick malware scan if you are on a computer, especially if anything downloaded.
Monitor your email account for suspicious sign-in alerts over the next 24 to 72 hours.
Consider changing your email password anyway, especially if:
you reuse passwords anywhere
you are not sure whether you typed anything
you stayed on the phishing page for more than a moment
3) If you entered your email password on the page
Assume your email account is compromised until proven otherwise.
Do these steps in order:
Change your email password immediately. Use a strong, unique password that you have never used elsewhere.
Enable MFA on your email account. Use an authenticator app if possible, not just SMS.
Sign out of all sessions. Most email providers have an option like “Sign out of all devices” or “Log out of other sessions.”
Check account recovery settings. Look for unknown:
recovery emails
phone numbers
devices
trusted locations
Remove anything you do not recognize.
Check forwarding and filters. This step is critical and often missed.Look for:
mail forwarding to an unfamiliar address
rules that auto-archive or delete security alerts
rules that send copies of certain emails to another folder
Review recent account activity. Check for logins from unfamiliar locations or devices.
Change passwords on other important accounts. Prioritize accounts tied to your email:
banking and payment platforms
shopping sites
social media
any account where “reset password” goes through your email
If you reused the same password, change those first.
4) If you entered a password for any other service
Sometimes the phishing page asks for other credentials, especially Microsoft 365.
If you entered credentials for a work account:
Notify your IT team or security team immediately.
Change your password following company policy.
Ask IT to check:
mailbox rules
suspicious sign-ins
OAuth app permissions (third-party app access)
unusual outbound email activity
Fast reporting can prevent a broader outbreak.
5) If you entered an MFA code or approved a push notification
This is more serious because the attacker may have used the code in real time.
Do this immediately:
Change your password right away.
Sign out of all devices and sessions.
Revoke active sessions where possible.
Review account security logs.
Consider regenerating backup codes if your provider uses them.
If available, switch to phishing-resistant methods (such as passkeys) for key accounts.
6) If you downloaded and opened a file
If the email included an attachment and you opened it, take this seriously even if nothing “seemed” to happen.
Disconnect the device from the internet if you suspect malware.
Run a reputable antivirus and malware scan.
Check your browser downloads folder and delete unknown files.
Update your operating system and browser.
Change your email password from a different, clean device if you suspect compromise.
If you use the device for work, notify IT.
7) If the email came from someone you know
A lot of victims feel awkward warning the sender. Do it anyway.
Send a simple note through text message or another channel:
Tell them you received an invitation email that looks like phishing.
Ask them if they sent it.
Encourage them to change their email password and enable MFA.
Suggest they check forwarding rules and sent mail.
This can stop the scam chain.
8) Watch for secondary attacks over the next few days
After credential theft, attackers often try follow-up moves.
Watch for:
Password reset emails you did not request
Security alerts about new sign-ins
Emails in your “Sent” folder that you did not send
Contacts saying they received strange messages from you
Missing emails due to filters or forwarding rules
If you see any of these, treat it as confirmation of compromise and escalate your response.
9) Monitor financial accounts if there is any chance of exposure
Even if the scam targeted email, financial fallout can happen through password resets.
If you suspect any exposure:
Review bank and card transactions carefully.
Look for small test charges like $1, $5, or other low amounts.
Consider setting transaction alerts for any purchase.
If you see fraud, contact your bank immediately and dispute charges.
10) Strengthen your defenses so this does not happen again
A single set of upgrades dramatically reduces risk:
Use a password manager and unique passwords for every major account.
Enable MFA everywhere, especially email.
Prefer authenticator apps or passkeys over SMS where possible.
Treat unexpected invitations as suspicious, even from known people.
Verify through a second channel if the invitation is unusual.
A quick “If this happened, do this” summary
Clicked link only: close, scan, monitor sign-ins, consider password change
Entered MFA code: treat as active compromise, reset everything immediately
Opened attachment: scan device, change passwords from a clean device, consider IT help
Came from a friend: warn them, they are likely compromised too
Is Your Device Infected? Scan for Malware
If your computer or phone is slow, showing unwanted pop-ups, or acting strangely, malware could be the cause. Running a scan with Malwarebytes Anti-Malware Free is one of the most reliable ways to detect and remove harmful software. The free version can identify and clean common infections such as adware, browser hijackers, trojans, and other unwanted programs.
Malwarebytes works on Windows, Mac, and Android devices. Choose your operating system below and follow the steps to scan your device and remove any malware that might be slowing it down.
Malwarebytes for WindowsMalwarebytes for MacMalwarebytes for Android
Run a Malware Scan with Malwarebytes for Windows
Malwarebytes stands out as one of the leading and widely-used anti-malware solutions for Windows, and for good reason. It effectively eradicates various types of malware that other programs often overlook, all at no cost to you. When it comes to disinfecting an infected device, Malwarebytes has consistently been a free and indispensable tool in the battle against malware. We highly recommend it for maintaining a clean and secure system.
Download Malwarebytes
Download the latest version of Malwarebytes for Windows using the official link below. Malwarebytes will scan your computer and remove adware, browser hijackers, and other malicious software for free.
(The above link will open a new page from where you can download Malwarebytes)
Install Malwarebytes
After the download is complete, locate the MBSetup file, typically found in your Downloads folder. Double-click on the MBSetup file to begin the installation of Malwarebytes on your computer. If a User Account Control pop-up appears, click “Yes” to continue the Malwarebytes installation.
Follow the On-Screen Prompts to Install Malwarebytes
When the Malwarebytes installation begins, the setup wizard will guide you through the process.
You’ll first be prompted to choose the type of computer you’re installing the program on—select either “Personal Computer” or “Work Computer” as appropriate, then click on Next.
Malwarebytes will now begin the installation process on your device.
When the Malwarebytes installation is complete, the program will automatically open to the “Welcome to Malwarebytes” screen.
On the final screen, simply click on the Open Malwarebytes option to start the program.
Enable “Rootkit scanning”.
Malwarebytes Anti-Malware will now start, and you will see the main screen as shown below. To maximize Malwarebytes’ ability to detect malware and unwanted programs, we need to enable rootkit scanning. Click on the “Settings” gear icon located on the left of the screen to access the general settings section.
In the settings menu, enable the “Scan for rootkits” option by clicking the toggle switch until it turns blue.
Now that you have enabled rootkit scanning, click on the “Dashboard” button in the left pane to get back to the main screen.
Perform a Scan with Malwarebytes.
To start a scan, click the Scan button. Malwarebytes will automatically update its antivirus database and begin scanning your computer for malicious programs.
Wait for the Malwarebytes scan to complete.
Malwarebytes will now scan your computer for browser hijackers and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check the status of the scan to see when it is finished.
Quarantine detected malware
Once the Malwarebytes scan is complete, it will display a list of detected malware, adware, and potentially unwanted programs. To effectively remove these threats, click the “Quarantine” button.
Malwarebytes will now delete all of the files and registry keys and add them to the program’s quarantine.
Restart your computer.
When removing files, Malwarebytes may require a reboot to fully eliminate some threats. If you see a message indicating that a reboot is needed, please allow it. Once your computer has restarted and you are logged back in, you can continue with the remaining steps.
Once the scan completes, remove all detected threats. Your Windows computer should now be clean and running smoothly again, free of trojans, adware, and other malware.
If your current antivirus allowed this malicious program on your computer, you may want to consider purchasing Malwarebytes Premium to protect against these types of threats in the future. If you are still having problems with your computer after completing these instructions, then please follow one of the steps:
Malwarebytes for Mac is an on-demand scanner that can destroy many types of malware that other software tends to miss without costing you absolutely anything. When it comes to cleaning up an infected device, Malwarebytes has always been free, and we recommend it as an essential tool in the fight against malware.
Download Malwarebytes for Mac.
You can download Malwarebytes for Mac by clicking the link below.
When Malwarebytes has finished downloading, double-click on the setup file to install Malwarebytes on your computer. In most cases, downloaded files are saved to the Downloads folder.
Follow the on-screen prompts to install Malwarebytes.
When the Malwarebytes installation begins, you will see the Malwarebytes for Mac Installer which will guide you through the installation process. Click “Continue“, then keep following the prompts to continue with the installation process.
When your Malwarebytes installation completes, the program opens to the Welcome to Malwarebytes screen. Click the “Get started” button.
Select “Personal Computer” or “Work Computer”.
The Malwarebytes Welcome screen will first ask you what type of computer are you installing this program, click either Personal Computer or Work Computer.
Click on “Scan”.
To scan your computer with Malwarebytes, click on the “Scan” button. Malwarebytes for Mac will automatically update the antivirus database and start scanning your computer for malware.
Wait for the Malwarebytes scan to complete.
Malwarebytes will scan your computer for adware, browser hijackers, and other malicious programs. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Quarantine”.
When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes has detected. To remove the malware that Malwarebytes has found, click on the “Quarantine” button.
Restart computer.
Malwarebytes will now remove all the malicious files that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your computer.
After scanning, delete any detected threats. Your Mac should now be free from adware, unwanted extensions, and other potentially harmful software.
If your current antivirus allowed a malicious program on your computer, you might want to consider purchasing the full-featured version of Malwarebytes Anti-Malware to protect against these types of threats in the future. If you are still experiencing problems while trying to remove a malicious program from your computer, please ask for help in our Mac Malware Removal Help & Support forum.
Run a Malware Scan with Malwarebytes for Android
Malwarebytes for Android automatically detects and removes dangerous threats like malware and ransomware so you don’t have to worry about your most-used device being compromised. Aggressive detection of adware and potentially unwanted programs keeps your Android phone or tablet running smooth.
Download Malwarebytes for Android.
You can download Malwarebytes for Android by clicking the link below.
In the Google Play Store, tap “Install” to install Malwarebytes for Android on your device.
When the installation process has finished, tap “Open” to begin using Malwarebytes for Android. You can also open Malwarebytes by tapping on its icon in your phone menu or home screen.
Follow the on-screen prompts to complete the setup process
When Malwarebytes will open, you will see the Malwarebytes Setup Wizard which will guide you through a series of permissions and other setup options. This is the first of two screens that explain the difference between the Premium and Free versions. Swipe this screen to continue. Tap on “Got it” to proceed to the next step. Malwarebytes for Android will now ask for a set of permissions that are required to scan your device and protect it from malware. Tap on “Give permission” to continue. Tap on “Allow” to permit Malwarebytes to access the files on your phone.
Update database and run a scan with Malwarebytes for Android
You will now be prompted to update the Malwarebytes database and run a full system scan.
Click on “Update database” to update the Malwarebytes for Android definitions to the latest version, then click on “Run full scan” to perform a system scan.
Wait for the Malwarebytes scan to complete.
Malwarebytes will now start scanning your phone for adware and other malicious apps. This process can take a few minutes, so we suggest you do something else and periodically check on the status of the scan to see when it is finished.
Click on “Remove Selected”.
When the scan has been completed, you will be presented with a screen showing the malware infections that Malwarebytes for Android has detected. To remove the malicious apps that Malwarebytes has found, tap on the “Remove Selected” button.
Restart your phone.
Malwarebytes for Android will now remove all the malicious apps that it has found. To complete the malware removal process, Malwarebytes may ask you to restart your device.
When the scan is finished, remove all detected threats. Your Android phone should now be free of malicious apps, adware, and unwanted browser redirects.
If your current antivirus allowed a malicious app on your phone, you may want to consider purchasing the full-featured version of Malwarebytes to protect against these types of threats in the future. If you are still having problems with your phone after completing these instructions, then please follow one of the steps:
Restore your phone to factory settings by going to Settings > General management > Reset > Factory data reset.
After cleaning your device, it’s important to protect it from future infections and annoying pop-ups. We recommend installing an ad blocker such as AdGuard. AdGuard blocks malicious ads, prevents phishing attempts, and stops dangerous redirects, helping you stay safe while browsing online.
The Bottom Line
The Paperless Post scam email is a phishing attack wrapped in something that feels personal and harmless.
That is why it works.
It often arrives from real, compromised email accounts belonging to people you know, which gives it instant credibility. The “invitation” is just the hook. The real goal is your login credentials, especially for your email account, because email access can unlock everything else.
If you clicked but did not enter anything, take it as a close call and stay alert. If you entered your password or any security code, move quickly: change passwords, enable MFA, sign out of active sessions, and check for forwarding rules and hidden filters.
Most importantly, do not blame yourself. These campaigns are designed to exploit normal human behavior: curiosity, trust, and social connection. With a clear response plan and stronger account security, you can shut down the damage and make it much harder for the next attempt to succeed.
FAQ: Paperless Post Scam Email
What is the Paperless Post scam email?
It is a phishing email that pretends you received a Paperless Post invitation or card. The goal is to lure you into clicking a link and entering your login details, often your email password.
Is Paperless Post legitimate?
Yes, Paperless Post is a real service. The scam abuses its name and branding to make a fake invitation look trustworthy.
Why does the email sometimes look like it came from someone I know?
Because scammers often take over real email accounts and then send phishing messages to that person’s contacts. That makes the “From” name feel familiar even though the link is dangerous.
Do real Paperless Post emails include attachments like .pdf or .exe?
No. Legitimate Paperless Post emails should not include .EXE or .PDF attachments or other downloadable files. The only files typically included are embedded images.
Do real Paperless Post emails require me to log in or download something to view the card?
No. A message that insists you must log in, “verify,” or download a file or app just to view the invitation is a strong phishing signal.
What sender addresses are considered official?
Legitimate Paperless Post emails can come from:
paperless@email.paperlesspost.com
paperlesspost@paperlesspost.com
paperlesspost@accounts.paperlesspost.com
Official support emails can come from:
agent@paperlesspost.com
help@paperlesspost.com
optout@paperlesspost.com
pds@paperlesspost.com
phishing@paperlesspost.com
privacy@paperlesspost.com
security@paperlesspost.com
support@paperlesspost.com
If the sender is outside these, treat it as suspicious until verified.
What should a legitimate Paperless Post text link look like?
Real texts include a link that starts with https://pp.events/. Be cautious with shortened links or domains that do not match.
I clicked the link. Am I automatically hacked?
Not necessarily. If you clicked but did not enter any information and did not download anything, you may be fine. Still, it is smart to scan your device and monitor for unusual sign-in alerts.
I entered my email password on the page. What should I do right now?
Assume the password is compromised:
Change your email password immediately.
Enable MFA on your email account.
Sign out of all devices and sessions.
Check for mail forwarding and suspicious rules/filters.
Change passwords anywhere you reused that same password.
How do I report a suspected phishing email?
Report it in your email client as phishing/spam. You can also forward or report it to Paperless Post using the official address:
phishing@paperlesspost.com
How can I safely check whether an invitation is real?
Do not click the email button. Instead, open your browser and go directly to the Paperless Post site from a trusted bookmark, then check your invitations inside your account. If it claims to be from a friend, confirm with them via text or a call.
Can enabling MFA prevent this scam from working?
MFA helps a lot, but it is not perfect. Some phishing pages try to capture MFA codes in real time. Still, enabling MFA on your email is one of the best protections you can add.
10 Rules to Avoid Online Scams
Here are 10 practical safety rules to help you avoid malware, online shopping scams, crypto scams, and other online fraud. Each tip includes a quick “if you already got hit” action.
Stop and verify before you click, log in, download, or pay.
Most scams win by creating urgency. Verify using a trusted method: type the website address yourself, use the official app, or call a known number (not the one in the message).
If you already clicked: close the page, do not enter passwords, and run a malware scan.
Keep your operating system, browser, and apps updated.
Updates patch security holes used by malware and malicious ads. Turn on automatic updates where possible.
If you saw a scary “update now” pop-up: close it and update only through your device settings or the official app store.
Use layered protection: antivirus plus an ad blocker.
Antivirus helps block malware. An ad blocker reduces scam redirects, phishing pages, and malvertising.
If your browser is acting weird: remove unknown extensions, reset the browser, then run a full scan.
Install apps, software, and extensions only from official sources.
Avoid cracked software, “keygens,” and random downloads. During installs, choose Custom/Advanced and decline bundled offers you do not recognize.
If you already installed something suspicious: uninstall it, restart, and scan again.
Treat links and attachments as untrusted by default.
Phishing often impersonates delivery services, banks, and popular brands. If it is unexpected, do not open attachments or log in through the message.
If you entered credentials: change the password immediately and enable 2FA.
Shop safely: research the store, then pay with protection.
Be cautious with brand-new stores, “closing sale” stories, and prices that make no sense. Prefer credit cards or PayPal for dispute options. Avoid wire transfers, gift cards, and crypto payments.
If you already paid: contact your card issuer or PayPal quickly to dispute the transaction.
Crypto rule: never pay a “fee” to withdraw or recover money.
Common patterns include fake profits, then “tax,” “gas,” or “verification” fees. Another is a “recovery agent” who demands upfront crypto.
If you already sent crypto: stop paying, save evidence (wallet addresses, TXIDs, chats), and report the scam to the platform used.
Secure your accounts with unique passwords and 2FA (start with email).
Use a password manager and unique passwords for every account. Enable 2FA using an authenticator app when possible.
If you suspect an account takeover: change passwords, sign out of all devices, and review recent logins and recovery settings.
Back up important files and keep one backup offline.
Backups protect you from ransomware and device failure. Keep at least one backup on an external drive that is not always connected.
If you suspect infection: do not connect backup drives until the system is clean.
If you think you are a victim: stop losses, document evidence, and escalate fast.
Move quickly. Speed matters for disputes, account recovery, and limiting damage.
Stop payments and contact: do not send more money or respond to the scammer.
Call your bank or card issuer: block transactions, replace the card if needed, and start a dispute or chargeback.
Secure your email first: change the email password, enable 2FA, and remove unfamiliar recovery options.
Secure other accounts: change passwords, enable 2FA, and log out of all sessions.
Scan your device: remove suspicious apps or extensions, then run a full malware scan.
Save evidence: screenshots, emails, order pages, tracking pages, wallet addresses, TXIDs, and chat logs.
Report it: to the payment provider, marketplace, social platform, exchange, or wallet service involved.
These rules are intentionally simple. Most online losses happen when decisions are rushed. Slow down, verify independently, and use payment methods and account controls that give you recourse.
Thomas is an expert at uncovering scams and providing in-depth reporting on cyber threats and online fraud. As an editor, he is dedicated to keeping readers informed on the latest developments in cybersecurity and tech.
