PayPal users are facing a new wave of highly convincing scam emails that appear to confirm expensive subscription purchases they never made. Security researchers say criminals have figured out how to abuse PayPal’s own billing tools so that the messages look authentic, slip past filters, and pressure people into calling fake support numbers or clicking malicious links.
The tactic turns one of the internet’s most trusted payment brands into an unwitting delivery system for phishing, and it is already forcing PayPal, security vendors, and consumers to rethink what a “legitimate” notification looks like. I am tracking how the scheme works, why it is so effective, and what ordinary account holders can do to stay ahead of it.
How scammers turned a trusted PayPal feature into a phishing weapon
The core of the new fraud wave is not a forged email server or a spoofed domain, but PayPal’s own recurring billing system. Experts report that scammers are abusing the platform’s Subscriptions feature to generate real transactional messages that look like routine payment confirmations. Because the messages are triggered from inside genuine PayPal accounts, they arrive from the familiar service address and carry the usual branding, which makes them far more persuasive than traditional phishing blasts.
Instead of using Subscriptions for gym memberships or streaming services, the criminals configure bogus billing plans that reference high priced products and embed fake customer service details in the description fields. Security researchers describe how this manipulation lets the attackers inject their own text into the body of PayPal’s automatic emails, effectively turning a legitimate notification into a lure that can bypass spam filters and keyword detection. The result is a message that looks like a standard automatic payment status update but is in fact a carefully crafted trap.
The anatomy of a fake “automatic payment” email
At first glance, the fraudulent messages look like any other PayPal receipt, which is exactly what the scammers are counting on. One widely cited example shows a subject line about an automatic payment status and a body that claims a payment of 99, $1346.99 has been successfully processed, a figure chosen to be large enough to trigger panic but still plausible for a big ticket purchase. The text then urges the recipient to act quickly if the charge is unfamiliar, steering them toward a phone number or URL that is controlled by the scammers.
What makes these emails especially dangerous is that the sender field often shows service[at]paypal[dot]com, which is a legitimate PayPal address. As one detailed breakdown notes, Where the trick lies is not in the domain but in the content that has been smuggled into the message via the subscription description. The layout, logo, and transactional language all match what users expect, so the only real red flags are the unexpected amount and the pressure to respond through channels that sit entirely outside PayPal’s official website or app.
Psychology, urgency, and the human side of the con
Technically, the scam hinges on a billing feature, but its success depends on human psychology. Fraudsters understand that people react emotionally when they think a large sum has just left their account, and they design the wording to exploit that reflex. As one expert guide on fake PayPal emails explains, Fraudsters know that if They can create a sense of urgency and confusion, targets are more likely to click first and think later.
The subscription scam leans heavily on that playbook. Messages often warn that the supposed payment will recur automatically unless the user cancels immediately, or that there is only a short window to dispute the charge. Some variants even hint at consequences like account suspension if the recipient does not respond. By the time a person realizes they are not looking at a normal purchase confirmation, they may already have dialed a fake support line or handed over login details to a convincing phishing page.
From invoices to subscriptions: a broader pattern of PayPal abuse
The misuse of Subscriptions is not happening in isolation, it is part of a broader pattern in which criminals piggyback on PayPal’s legitimate tools. The company itself warns that unsolicited invoices and money requests can be weaponized, advising users to Report any unwarranted invoices or money requests by logging into their account directly and then deleting the email from their inbox. That guidance reflects a long running problem in which attackers create fake payment demands that appear inside the PayPal ecosystem itself.
What is new in the subscription twist is the way scammers are using recurring billing to inject their own narrative into system generated emails. Earlier waves of abuse focused on one off invoices or simple money requests, which were easier for some users to spot as suspicious. By contrast, a subscription confirmation looks like a routine part of managing digital services, and the recurring nature of the charge raises the stakes. The pattern shows how attackers keep probing for underused features and edge cases in popular platforms, then turning those into scalable fraud channels.
How the scam slips past filters and security tools
From a technical standpoint, one of the most worrying aspects of the campaign is how effectively it evades automated defenses. Because the emails originate from PayPal’s own infrastructure and reference real subscription objects, they tend to pass SPF, DKIM, and DMARC checks that many mail providers rely on. Researchers note that the abuse of Subscriptions lets Scammers embed phishing content inside a message that otherwise looks clean to automated scanners, which is why the scheme often passes most email security scans.
The attackers also benefit from the fact that the body of the email is largely generated by PayPal’s own templates, with only a few fields under their control. That means common spam signals, such as odd formatting or mismatched branding, are absent. Some security professionals have highlighted the campaign on social platforms, warning that the Subscription feature is being exploited in a way that allows malicious text and phone numbers to ride along inside otherwise legitimate notifications. For corporate defenders, that raises hard questions about how to filter messages that are technically authentic but contextually dangerous.
Real world impact: phone scams, account takeovers, and drained balances
Once a victim responds to a fake subscription email, the damage can escalate quickly. In many cases, the message directs them to call a number that connects to a scam call center, where operators pose as PayPal or bank staff. Reports describe how Hackers then walk targets through steps that grant remote access to their computers or persuade them to share one time codes, allowing the criminals to move money or reset passwords. Written accounts by DJ Sight emphasize that once the attackers have control, they can pivot from a single disputed charge to broader identity theft.
Other variants steer users to phishing sites that mimic PayPal’s login page, harvesting credentials that can be reused against the victim’s real account. From there, attackers may set up additional subscriptions, send fraudulent invoices, or link new bank accounts and cards. Because the initial email looks like a normal automatic payment status update, some people do not realize they have been duped until they see unfamiliar transfers in their transaction history or receive alerts from their bank. By that point, unwinding the damage can involve hours on the phone with financial institutions and, in some cases, law enforcement.
PayPal’s response and the closing of a dangerous loophole
Under growing pressure from security researchers and customers, PayPal has begun tightening the controls that made the subscription abuse possible. One detailed technical analysis notes that the company has moved to close a loophole that let scammers send real emails with fake purchase notices, a change that directly targets the way criminals were injecting custom text into system messages. Researcher Pieter Arntz has been cited as one of the voices explaining how the loophole worked and why it was so attractive to attackers.
Other security briefings confirm that PayPal has been notified about the misuse of Subscriptions and is actively working to shut down the method before more users are affected. One advisory notes that They have acknowledged the activity and are adjusting internal checks so that suspicious subscription descriptions and contact details are flagged or blocked. While these steps will not eliminate all forms of PayPal themed phishing, they do narrow the attack surface and signal that the company is treating the abuse of its billing tools as a serious security issue rather than a minor policy violation.
Why experts say this scam is different from older PayPal grifts
Seasoned PayPal users have long been told to watch for spelling mistakes, odd sender addresses, and generic greetings, but those heuristics are less useful against this new wave. Analysts stress that the subscription abuse stands out because it uses PayPal’s own infrastructure to deliver the bait, rather than trying to imitate it from the outside. One detailed warning explains that Scammers are abusing PayPal’s Subscriptions feature in a way that passes most email security scans, which is a significant evolution from older, more easily filtered campaigns.
Another expert summary underscores that the abuse of Scammers and Subscriptions is not just a cosmetic tweak but a structural shift in how phishing is delivered. Instead of relying on obviously fake domains or attachments, the attackers are exploiting business logic inside a trusted platform, which is harder for both users and automated tools to reason about. That is why security professionals are treating the campaign as a wake up call about the risks of any system that lets third parties embed arbitrary text into transactional messages.
Practical steps PayPal users can take right now
For ordinary account holders, the most important defense is to break the reflex of acting directly from an email, no matter how authentic it looks. If a message claims that a large subscription payment has been processed, the safest move is to open a browser or the PayPal app manually, sign in, and check the activity feed there. If the transaction does not appear, it is almost certainly a scam. If it does appear and looks suspicious, users should follow PayPal’s own advice to Report unwarranted invoices or money requests through the official interface and then delete the email.
Security experts also recommend enabling two factor authentication on PayPal and any linked email accounts, using strong, unique passwords or passkeys, and keeping an eye on bank and card statements for unfamiliar charges. One advisory on the subscription scam highlights that users should avoid calling phone numbers or visiting URLs listed only in an email, and instead rely on contact details published on PayPal’s own site. Guidance written by DJ Sight stresses that strong, unique passwords or passkeys can limit the fallout even if credentials are exposed, and that quick action can sometimes reverse fraudulent transfers before they settle.
What this campaign signals about the future of online payment fraud
The abuse of PayPal subscriptions is a reminder that as platforms add more flexible billing features, they also expand the creative space for attackers. Criminals are no longer content to spoof brands from the outside, they are increasingly looking for ways to operate from within, using legitimate tools in illegitimate ways. The fact that a loophole in a mainstream billing system could be turned into a global phishing channel shows how fragile trust signals like sender addresses and familiar logos have become.
At the same time, the rapid response from PayPal and the broader security community suggests that these kinds of abuses can be contained when they are surfaced quickly. Researchers like Pieter Arntz, analysts such as Lawrence Abrams, and corporate defenders who flagged the Beware alerts about Subscript abuse have helped push the issue into the open, prompting fixes that should make similar attacks harder. For users, the lesson is clear: even when an email comes from a trusted address and references a familiar service, the only safe way to verify a payment is to go straight to the source, log in, and check for yourself.
More from MorningOverview