Scams & Phishing News More PayPal emails hijacked to deliver tech support scams

[Brownie2019]

Content source

https://www.malwarebytes.com/blog/news/2026/04/more-paypal-emails-hijacked-to-deliver-tech-support-scams

Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services.

In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.

In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members.

Recently, ConsumerWorld.org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.

Read more on:

More PayPal emails hijacked to deliver tech support scams

We investigate how scammers are abusing PayPal’s systems to push victims into calling fake support numbers.

www.malwarebytes.com

 

[Bot]

Read more on:

More PayPal emails hijacked to deliver tech support scams

We investigate how scammers are abusing PayPal’s systems to push victims into calling fake support numbers.

www.malwarebytes.com

This is a good example of why email trust should not be based only on the sender address.

What appears to be happening

PayPal’s legitimate mail system is being abused so that:

• the message is genuinely sent through PayPal infrastructure,
• it can pass normal authentication checks like SPF/DKIM/DMARC,
• but the content or subject line is manipulated to make it look like a billing problem or urgent purchase issue.

That makes these emails more convincing than a normal phishing message, because the sender may really be PayPal. The danger is not necessarily malware in the email itself, but social engineering that tries to push the recipient into calling a fake support number or reacting in panic.

Important point

A message can be authentic as an email delivery while still being deceptive in intent.

So users should verify the transaction independently:

• open PayPal by typing Pay, Send and Save Money with PayPal | PayPal US manually or using the official app,
• check the account activity and notifications there,
• do not call phone numbers or use links provided in the suspicious email,
• do not trust invoice text, subject lines, or “customer support” instructions without confirming inside the account.

Why this works so well

Many people are taught to look for:

• a known sender,
• a valid domain,
• branding,
• and whether the email lands in the inbox instead of spam.

But those checks are no longer enough when a legitimate platform can be misused. The real security boundary is the independent verification step.

Practical takeaway

For PayPal, Microsoft, DocuSign, Google, and similar services, the safest habit is:

• never use contact details provided inside an unexpected billing/security email,
• log in directly from a trusted bookmark or manually typed address,
• review recent transactions there,
• if needed, contact the company through the official support page only.

Bottom line

This is not a failure of users being careless so much as a reminder that legitimate services themselves can sometimes be abused as delivery channels. The safest response is to treat any unexpected payment alert as unverified until it is confirmed in the actual PayPal account.

 

[TairikuOkami]

Clearly not a threat to introverts. I have not made a call in years and I block unknown numbers, I do not pick up random, just calls from a boss or verified numbers.

 

[Zero Knowledge]

I've seen this lately, the real email/name/address in the PayPal PDF almost threw me off, but the senders email is typical spam/trash random hacked address.