PayPal is the third most impersonated company in the United States, according to FTC 2024 data, and attacks impersonating it surged by 600% in 2025 alone. With over 300 million account holders globally, it is an obvious target: scammers go where the users are. Fake emails, fraudulent invoices, smishing texts, and increasingly sophisticated spoofing techniques are all in active use. This guide covers how the most common scams work, how to identify them, and what to do if you have been caught out.
Check a website Run our free AI security check on any URL — instant verdict.→
Why PayPal is a favourite target
The combination of PayPal's scale and the way money moves through it makes it unusually attractive to scammers. Transactions are fast, often hard to reverse, and familiar enough that a well-crafted fake email can feel completely routine. ESET's security researchers detected over 4,000 PayPal-targeting phishing attempts in the first half of 2025 alone, noting that "attacks have become much more sophisticated compared to basic phishing campaigns of years past."
The most dangerous development in recent years is that some PayPal scam emails now pass every standard authenticity check — including the sender domain. Understanding why that is possible, and what to look for instead, is the most important thing this guide can give you.
Common PayPal scam types
Phishing emails
The most widespread variant. A fake email, typically claiming your account has been limited, a payment has failed, or unusual activity has been detected, directs you to a link that leads to a convincing replica of the PayPal login page. Any credentials you enter go directly to the scammer. The fake pages are often indistinguishable from the real thing visually.
Fake invoice scams
Scammers send a PayPal invoice for goods or services you never ordered, often framed as a software licence renewal or a subscription charge. The invoice looks exactly like a real PayPal payment request. The goal is not necessarily to get you to pay it directly — it is to panic you into calling a "customer service" phone number listed on the invoice. That number reaches a scammer, not PayPal. Once on the phone, the scammer attempts to obtain your account credentials or remote access to your device.
A more sophisticated version of this scam uses real PayPal Business accounts — sometimes legitimately created, sometimes hijacked — to send invoices that genuinely originate from PayPal's servers. These pass domain verification checks. The only tell is the content.
Bitcoin invoice scams
A fake invoice arrives claiming you have purchased cryptocurrency, typically for $500 to $2,000 or more. No crypto purchase was made. The invoice is designed to create enough alarm that you call the phone number provided to "dispute" it. The call is the attack. The scammer on the other end will request remote access to your device to "resolve" the transaction and will use that access to drain your accounts.
The 1p deposit scam
One of the most sophisticated variants currently in circulation. A scammer sends a genuine 1p payment to your PayPal account using a fraudulent or hacked PayPal Business account. PayPal's own systems generate a real transaction notification, which passes every authenticity check — because it is a real PayPal email. A follow-up message then claims the penny was a "verification payment" ahead of a larger transfer, and instructs you to call a number if you did not authorise it. That number connects to the scammer.
What makes this dangerous is that the initial email is entirely authentic. You can verify the 1p deposit actually landed in your account, which lends the follow-up message false credibility. PayPal itself has noted: "PayPal will never demand urgent action or include phone numbers in payment messages."
Overpayment scams (for sellers)
A buyer pays for an item using a stolen card, intentionally overpaying. They then request a refund of the excess via a different method — bank transfer, gift card, or wire. When PayPal reverses the original fraudulent payment, the seller has already sent the "refund." The seller loses the product, the shipping cost, and the money they transferred.
Friends & Family payment trap
Scammers buying goods or services will sometimes insist on paying via PayPal's Friends & Family option, which carries no buyer protection and eliminates PayPal's dispute resolution process entirely. If you are selling something, you should never accept a Friends & Family payment from someone you do not know personally.
How to spot a fake PayPal email
Use the STALL framework (PayPal's official guidance):
Sender: Check the full sending address, not just the display name. Legitimate PayPal emails come from @paypal.com. However, note the warning in the next section — sender address alone is not sufficient for all variants.
Tone: Be alert to urgency, pressure, or threats. Scammers create false deadlines because they need you to act before you think.
Attachments: PayPal never sends attachments. If an email from PayPal contains a PDF or any other file, do not open it.
Links: Hover over any link before clicking to see where it actually leads. If the URL is not paypal.com, do not click. You can also paste the link into ScamInfo's ScamCheck Validator to check it without visiting the site.
Login: Be suspicious of any unexpected prompt to log in via an email link. Go to paypal.com directly by typing it into your browser.
Additional red flags:
Generic greeting ("Dear user," "Dear customer") — PayPal always addresses you by your full registered name
Typos, poor grammar, or the brand name written as "paypal" rather than "PayPal"
Pixelated or visibly off-brand logo
Instructions to call a phone number
Any request for your password, card details, or security code via email
What PayPal will never do:
Address you as "Dear customer" or "Dear user"
Ask for your password or account verification code by email or phone
Request remote access to your device
Ask you to send money to "verify" your account
Ask you to use a different payment platform
Include phone numbers in payment notification emails
Send emails with attachments
A critical warning about sophisticated spoofing
Standard advice — check that the sender is @paypal.com — is now insufficient for certain attack variants. ESET has documented scammers exploiting misconfigurations in PayPal's own email infrastructure to send phishing messages that legitimately originate from PayPal's servers. The 1p deposit scam works on the same principle: the triggering email genuinely is from PayPal.
For these variants, the sender address offers no protection. The tell is always the content: unexpected invoices, urgency, requests to call a phone number, or instructions that do not match anything visible in your PayPal account. When in doubt, log into PayPal directly at paypal.com and check your activity. If there is no corresponding notification there, the email is fraudulent.
Fake PayPal texts (smishing)
Scammers also impersonate PayPal by text message. The goal is the same as with email: create urgency, get you to click a link or call a number. The same rules apply. Do not click links in unexpected texts claiming to be from PayPal, and do not call numbers provided in those texts.
If you receive a suspicious text, go to paypal.com directly or open the PayPal app and check your notifications. If there is nothing there corresponding to what the text claimed, the message is a scam. You can report it by forwarding the text to phishing@paypal.com: press and hold the message, tap "More" (or the three dots on Android), then tap "Forward."
What to do if you have been scammed
Acting quickly significantly improves your chances of recovering funds and limiting further damage.
1. Change your PayPal password immediately. Also change the password on any other account where you use the same credentials. Enable two-factor authentication on PayPal if you have not already done so.
2. File a dispute through PayPal's Resolution Centre. You have a 180-day window from the transaction date. Contact the seller or sender first; if unresolved within 20 days, escalate to a formal claim. PayPal users tend to have better recovery outcomes than users of Zelle, Venmo, or Cash App — but only for transactions covered by Buyer or Seller Protection. Friends & Family payments are not covered.
3. Notify your bank or card issuer. If payment details were exposed, request a card freeze and ask about chargeback options. Credit card and bank-linked payments may be recoverable separately from PayPal's dispute process.
4. Freeze your credit at all three bureaus (Experian, Equifax, TransUnion) if personal identifying information was compromised.
5. Scan your device for malware if you clicked a link or opened an attachment.
6. If you granted remote access to your device: Disconnect from the internet immediately, run a full malware scan, change all passwords for accounts you were logged into on that device, and notify your bank. If you are not confident the device is clean, a factory reset is the safest option.
7. Report the incident — see below.
How to report a PayPal scam
Only around 7% of scam victims report what happened. Reporting takes under 15 minutes and directly feeds law enforcement databases used to identify criminal networks.
Where | How |
|---|---|
PayPal phishing emails and texts | Forward to phishing@paypal.com |
Fraudulent PayPal transactions | PayPal app or paypal.com: Activity, then the transaction, then "Report Issue" |
FTC | |
FBI IC3 | ic3.gov (for financial loss or remote access incidents) |
Anti-Phishing Working Group | Forward email to reportphishing@apwg.org |
ScamInfo | Report through ScamInfo's reporting dashboard |
PayPal's Chief Information Security Officer, Shaun Khalfan, has stated: "PayPal does not tolerate scams, and we take our duty to help protect consumers very seriously." Reporting to PayPal directly helps them identify and shut down fraudulent accounts and infrastructure being used against their customers.