The PayPal invoice scam is uniquely dangerous because the email is genuinely from PayPal. Scammers create real PayPal accounts and use PayPal's own invoicing and money request features to send you a bill — typically for something like a Bitcoin purchase, an antivirus renewal, or an order you never placed. Because the message originates from PayPal's actual servers, it passes SPF, DKIM, and DMARC authentication and sails through spam filters. The fraud is in the invoice contents: a fake charge and a "support" phone number that connects you directly to the scammer.
How the Scam Works
- The scammer opens a PayPal account. Anyone can create a PayPal business account and send invoices or money requests to any email address. No prior relationship with you is required.
- They send you a real invoice. It might say "Bitcoin purchase - $749.99," "Norton 360 renewal - $499," or "Order #8829107." The seller name is spoofed to look official — "Billing Department," "PayPal Support," or a well-known brand name typed into the free-text seller field.
- The invoice note contains the hook. "If you did not authorize this transaction, call us immediately at 1-8XX-XXX-XXXX." That number does not belong to PayPal or any real company. It rings a scam call center.
- The email passes every technical check. It comes from [email protected], authenticates perfectly, and may even appear in your PayPal account's activity when you log in — because it is a real invoice object in PayPal's system. Every signal people are taught to check says "legitimate."
- The phone call is where the theft happens. The "agent" who answers confirms the scary charge, then offers to reverse it. Depending on the crew, they will ask you to install remote-access software like AnyDesk, read back a verification code, log into your bank while they watch, or "accidentally refund too much" and demand you return the difference via gift cards or wire transfer — the same mechanics as a classic refund scam.
Got a suspicious email?
Paste it here for an instant analysis.
No signup · 6 detection layers · Results in seconds · Cmd+Enter
Why Spam Filters Cannot Catch It
Email security is built around verifying that a message really came from where it claims. This scam turns that logic against you. The message really did come from PayPal — a criminal simply used PayPal as the delivery mechanism, the way someone might mail a threatening letter through the regular postal service. Gmail and Outlook see a properly authenticated email from a trusted sender and deliver it to your inbox, often with PayPal's official branding and logo intact.
Variants of the same technique use PayPal money requests instead of invoices, and similar abuse has been observed on other platforms that let users send documents or requests from official infrastructure — QuickBooks invoices and Google Docs comment notifications among them. The lesson generalizes: authenticated sender does not mean legitimate content.
Red Flags Inside the Invoice
- You never bought anything from this seller. An unsolicited invoice for a purchase you did not make is the scam itself, not a billing error.
- A phone number in the seller note. PayPal does not put "call this number to dispute" instructions inside invoice memo fields. Dispute instructions live in your account interface.
- Urgency and fear. "Your account will be charged within 24 hours." "This transaction has been flagged." Pressure to call immediately is the tell.
- Crypto, antivirus, or gift-card subject matter. Bitcoin purchases and security software renewals dominate because they sound both plausible and alarming.
- A seller name that is a brand, not a business. "GeekSquad Billing" or "Coinbase Support" typed as a PayPal seller name is impersonation — closely related to the Geek Squad scam email pattern.
What to Do If You Receive One
- Do not call the number. Nothing bad happens if you ignore the invoice. An unpaid PayPal invoice or money request charges you nothing — it is a request, not a transaction. No money leaves your account unless you actively pay it.
- Verify inside your own PayPal account. Open a browser, type paypal.com yourself, and log in. If the invoice appears, you can cancel or ignore it there. Do not use any link in the email.
- Report it to PayPal. Forward the email to [email protected], and use the "Report" option on the invoice itself so PayPal can shut down the sending account.
- Never grant remote access. No payment company resolves billing disputes by controlling your computer. If you already installed remote software at a caller's request, disconnect from the internet, uninstall it, run a malware scan, and change your passwords from a different device.
- If you paid or gave information, open a dispute in PayPal, contact your bank or card issuer immediately, and file a report at reportfraud.ftc.gov and the FBI's IC3. Speed matters most in the first hours.
The Rule That Defeats This Entire Scam Family
Never use contact information delivered inside an unexpected message. That single habit neutralizes the PayPal invoice scam, the Geek Squad renewal scam, fake bank fraud alerts, and every other callback scheme. If a charge worries you, go to the company's real website by typing the address yourself and use the contact options there. Scammers can forge everything about a message except your own independent path to the real company — so always take that path. For more on how these messages are engineered, see our phishing scams hub.
Received a PayPal invoice or money request you did not expect? Paste the email into IsThisAScam.to for a free, instant analysis of the sender, links, and language — before you decide what to do.