IsThisAScam
HomeBlogPricingAboutHistoryAPIExtension
Upgrade
EN
Sign in
Sign in
IsThisAScam

Independent scam & phishing analysis. Free for individuals. APIs for developers.

© 2026 Zeplik, Inc.
1111B S Governors Ave, Dover, DE 19904
+1 (838) 221-7030
[email protected]
Product
  • Home
  • Blog
  • Pricing
  • About
  • Methodology
  • History
  • Chrome Extension
Resources
  • Developers
  • API Docs
  • Website trust reports
  • Scam type briefs
  • How-to guides
  • Scam glossary
  • Compare tools
  • Apple scams
  • PayPal scams
Legal
  • Privacy Policy
  • Terms of Service
  • [email protected]

© 2026 Zeplik, Inc. All rights reserved.

Built for the calm, the cautious, and the careful.

IsThisAScam is a Zeplik product. Explore our other tools: Arteza (AI image and video), OptiPix (privacy-first image tools).

Home/Blog/Scam Alerts
Scam Alerts

PayPal Invoice Scam: Why Real PayPal Emails Can Be Fraud

By IsThisAScam Research TeamPublished July 2, 20264 min read
Contents
  1. How the Scam Works
  2. Why Spam Filters Cannot Catch It
  3. Red Flags Inside the Invoice
  4. What to Do If You Receive One
  5. The Rule That Defeats This Entire Scam Family

The PayPal invoice scam is uniquely dangerous because the email is genuinely from PayPal. Scammers create real PayPal accounts and use PayPal's own invoicing and money request features to send you a bill — typically for something like a Bitcoin purchase, an antivirus renewal, or an order you never placed. Because the message originates from PayPal's actual servers, it passes SPF, DKIM, and DMARC authentication and sails through spam filters. The fraud is in the invoice contents: a fake charge and a "support" phone number that connects you directly to the scammer.

How the Scam Works

  1. The scammer opens a PayPal account. Anyone can create a PayPal business account and send invoices or money requests to any email address. No prior relationship with you is required.
  2. They send you a real invoice. It might say "Bitcoin purchase - $749.99," "Norton 360 renewal - $499," or "Order #8829107." The seller name is spoofed to look official — "Billing Department," "PayPal Support," or a well-known brand name typed into the free-text seller field.
  3. The invoice note contains the hook. "If you did not authorize this transaction, call us immediately at 1-8XX-XXX-XXXX." That number does not belong to PayPal or any real company. It rings a scam call center.
  4. The email passes every technical check. It comes from [email protected], authenticates perfectly, and may even appear in your PayPal account's activity when you log in — because it is a real invoice object in PayPal's system. Every signal people are taught to check says "legitimate."
  5. The phone call is where the theft happens. The "agent" who answers confirms the scary charge, then offers to reverse it. Depending on the crew, they will ask you to install remote-access software like AnyDesk, read back a verification code, log into your bank while they watch, or "accidentally refund too much" and demand you return the difference via gift cards or wire transfer — the same mechanics as a classic refund scam.

Got a suspicious email?

Paste it here for an instant analysis.

No signup · 6 detection layers · Results in seconds · Cmd+Enter

Why Spam Filters Cannot Catch It

Email security is built around verifying that a message really came from where it claims. This scam turns that logic against you. The message really did come from PayPal — a criminal simply used PayPal as the delivery mechanism, the way someone might mail a threatening letter through the regular postal service. Gmail and Outlook see a properly authenticated email from a trusted sender and deliver it to your inbox, often with PayPal's official branding and logo intact.

Variants of the same technique use PayPal money requests instead of invoices, and similar abuse has been observed on other platforms that let users send documents or requests from official infrastructure — QuickBooks invoices and Google Docs comment notifications among them. The lesson generalizes: authenticated sender does not mean legitimate content.

Red Flags Inside the Invoice

  • You never bought anything from this seller. An unsolicited invoice for a purchase you did not make is the scam itself, not a billing error.
  • A phone number in the seller note. PayPal does not put "call this number to dispute" instructions inside invoice memo fields. Dispute instructions live in your account interface.
  • Urgency and fear. "Your account will be charged within 24 hours." "This transaction has been flagged." Pressure to call immediately is the tell.
  • Crypto, antivirus, or gift-card subject matter. Bitcoin purchases and security software renewals dominate because they sound both plausible and alarming.
  • A seller name that is a brand, not a business. "GeekSquad Billing" or "Coinbase Support" typed as a PayPal seller name is impersonation — closely related to the Geek Squad scam email pattern.

What to Do If You Receive One

  1. Do not call the number. Nothing bad happens if you ignore the invoice. An unpaid PayPal invoice or money request charges you nothing — it is a request, not a transaction. No money leaves your account unless you actively pay it.
  2. Verify inside your own PayPal account. Open a browser, type paypal.com yourself, and log in. If the invoice appears, you can cancel or ignore it there. Do not use any link in the email.
  3. Report it to PayPal. Forward the email to [email protected], and use the "Report" option on the invoice itself so PayPal can shut down the sending account.
  4. Never grant remote access. No payment company resolves billing disputes by controlling your computer. If you already installed remote software at a caller's request, disconnect from the internet, uninstall it, run a malware scan, and change your passwords from a different device.
  5. If you paid or gave information, open a dispute in PayPal, contact your bank or card issuer immediately, and file a report at reportfraud.ftc.gov and the FBI's IC3. Speed matters most in the first hours.

Related reading:

  • Scam Detector: How AI Analyzes Emails, Texts, and Links in Seconds
  • Phishing Check: How to Verify Any Suspicious Email or Message
  • How to Spot a Scam Email: 10 Signs That Give It Away
  • Walmart Scam Emails and Texts: How to Spot Fakes

The Rule That Defeats This Entire Scam Family

Never use contact information delivered inside an unexpected message. That single habit neutralizes the PayPal invoice scam, the Geek Squad renewal scam, fake bank fraud alerts, and every other callback scheme. If a charge worries you, go to the company's real website by typing the address yourself and use the contact options there. Scammers can forge everything about a message except your own independent path to the real company — so always take that path. For more on how these messages are engineered, see our phishing scams hub.

Received a PayPal invoice or money request you did not expect? Paste the email into IsThisAScam.to for a free, instant analysis of the sender, links, and language — before you decide what to do.

Received something suspicious? You can check if an email is a scam in seconds with our free 6-layer scanner. Read our full guide to phishing scams for tactics, examples, and reporting steps.

Share this article
XLinkedInFacebookWhatsApp
paypalinvoice scamphishingemailcallback scam
Related Articles
Guides4 min

Is Temu Legit or a Scam? What Shoppers Should Know

Guides4 min

Is Shein Legit or a Scam? An Honest Look

Scam Alerts4 min

Geek Squad Scam Email: The Fake Renewal Invoice Explained

CHROME EXTENSION

Stop scams before you click

Scans emails in Gmail automatically. Right-click any link to check it. Warnings appear before you reach dangerous sites.

Add to Chrome — Free →

One-click install · No account needed · Works with Gmail

PRO

Need more than 5 scans a day?

Pro gives you 200 scans/month, detailed AI analysis, 30-day history, and the Chrome extension for $2.99/mo.

See pricing →

Check any suspicious message

Six detection layers. Instant verdict. Free.

No signup · 6 detection layers · Results in seconds · Cmd+Enter