refined PayPal scam Exploits Subscription Feature, Bypassing Security Measures
A new email scam is leveraging a legitimate PayPal billing feature to deliver convincingly authentic-looking phishing emails, potentially exposing millions of users to fraud. The scam, which has been reported over the past couple of months, utilizes PayPalS “Subscriptions” feature to send emails appearing to originate directly from the company, complete with valid security certifications.
The fraudulent emails notify recipients that their “automatic payment is no longer active,” but contain a hidden threat: a manipulated Customer Service URL field that falsely claims a purchase of a high-value item – such as a Sony device, MacBook, or iPhone – for between $1,300 and $1,600. These emails are deliberately crafted with Unicode characters to evade spam filters and keyword detection, making them particularly risky.
“http://[domain] [domain] A payment of $1346.99 has been successfully processed. For cancel and inquiries,Contact PayPal support at +1-805-500-6377,” reads a typical example of the malicious URL embedded within the scam.
The alarming aspect of this scam is its authenticity. The emails are sent from the official “[email protected]” address and pass standard email security checks, including DKIM and SPF, originating from PayPal’s own mail servers. As one source explained, the emails appear entirely legitimate upon inspection.
@paypal.com header.s=pp-dkim1 header.b=”AvY/E1H+”;
spf=pass (google.com: domain of [email protected] designates 173.0.84.4 as permitted sender) [email protected];
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
Received: from mx15.slc.paypal.com (mx15.slc.paypal.com. [173.0.84.4])
by mx.google.com with ESMTPS id a92af1059eb24-11dcb045a3csi5930706c88.202.2025.11.28.09.14.49
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 28 Nov 2025 09:14:49 -0800 (PST)
BleepingComputer successfully replicated the scam email template by utilizing PayPal’s “Subscriptions” feature and pausing a subscriber. PayPal subscriptions allow merchants to create recurring billing options for services. When a subscription is paused, PayPal automatically notifies the subscriber.
However, researchers discovered a critical limitation: PayPal rejects attempts to add text other than a URL to the customer Service URL field. This suggests the scammers are exploiting a flaw in how PayPal handles subscription metadata, or utilizing an API or legacy platform that permits the insertion of invalid text.
The method by which scammers are targeting individuals who haven’t subscribed to PayPal services remains unclear. Investigation revealed that the emails are being sent to “[email protected],” believed to be an email address associated with a fake subscriber created by the scammers. This account is highly likely a Google Workspace mailing list, automatically forwarding emails to targeted individuals. This forwarding process can invalidate SPF and DMARC checks, as the email is routed through a server not authorized by the original sender.
When contacted for comment, PayPal declined to address the specific vulnerability but issued a statement affirming its commitment to combating fraudulent activity.”PayPal does not tolerate fraudulent activity and we work hard to protect our customers from consistently evolving scam tactics,” the company stated. “We are aware of this phishing scam and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance.”
This sophisticated scam highlights the evolving tactics employed by cybercriminals and underscores the importance of remaining vigilant against even the most convincingly authentic-looking phishing attempts.
