PayPal phishing emails are the second most common brand impersonation scam after Amazon. They're effective because PayPal handles real money — the urgency of "someone accessed your PayPal" or "you've been charged $499" triggers an immediate emotional response. Here's how to identify every variant and protect your account.
Why PayPal Is Heavily Targeted
PayPal processes billions of dollars in transactions. It's linked to bank accounts and credit cards. A compromised PayPal account gives attackers direct access to money. And because PayPal is a financial service, users are primed to respond urgently to anything that looks like a security alert.
Scammers also exploit PayPal's legitimate features — like invoicing and money requests — to send official-looking scam messages through PayPal's own system, making them harder to detect.
Got a suspicious email?
Paste it here for an instant analysis.
Free · No signup required · Cmd+Enter to scan
The 6 Most Common PayPal Phishing Emails
1. Unauthorized Transaction Alert
From: PayPal Security <security-alert@paypa1-center.com>
Subject: Unauthorized transaction detected on your PayPal account
We detected an unauthorized payment of $499.99 to Electronics World Inc. If you did not authorize this transaction, click below to dispute it immediately.
Dispute This Transaction →
The scam: The fear of losing $499.99 makes you click without thinking. The link leads to a fake PayPal login page. After you enter your credentials, the scammer has access to your real account. Some variants also ask for your credit card details to "verify your identity."
Red flags: The domain paypa1-center.com uses the number "1" instead of the letter "l". Real PayPal security alerts come from @paypal.com and include your full name and the last few digits of the transaction.
2. Account Limitation Notice
From: PayPal <no-reply@service-paypal-account.com>
Subject: Your PayPal account has been limited
We've noticed some changes to your account activity. As a security measure, we've limited your account. Please complete the following steps to remove the limitation:
1. Log in to your account
2. Update your personal information
3. Verify your payment method
Resolve Now →
The scam: PayPal does sometimes limit accounts — scammers know this, which makes the email plausible. But the link goes to a phishing site that collects your login credentials, personal information, and payment details all in one go.
How to verify: Log in to paypal.com directly. If your account is actually limited, you'll see a notification in your account dashboard with resolution steps.
3. Fake Invoice or Money Request
This variant is particularly dangerous because it comes through PayPal's actual system. Scammers use PayPal's invoicing feature to send you a real PayPal email with a fake invoice for a product or service you never ordered.
From: service@paypal.com (legitimate PayPal address)
Subject: Invoice from Norton LifeLock — $349.99
You have a pending invoice for Norton LifeLock Annual Plan — $349.99.
If you did not authorize this, call 1-800-XXX-XXXX immediately.
The scam: Because this email actually comes from PayPal's servers, it passes all spam filters and looks completely legitimate. The invoice itself is real — created by the scammer using PayPal's invoicing tool. The phone number in the invoice connects to a scam call center that will try to get remote access to your computer or steal your financial information.
What to do: Never call a number listed in an unexpected invoice. If you receive an invoice for something you didn't order, log in to paypal.com, go to Activity, and decline or report the invoice. You will not be charged unless you approve the invoice.
4. Password Reset You Didn't Request
From: PayPal <noreply@paypal-passwordreset.com>
Subject: Password reset request for your PayPal account
We received a request to reset the password for your PayPal account. If you made this request, click below to reset your password:
Reset Password →
If you didn't make this request, someone may be trying to access your account. Secure your account immediately.
The scam: Creates a double bind — whether you requested the reset or not, you feel compelled to click. Either you "need to reset your password" or you "need to secure your account." Both links go to the same phishing page.
How to verify: If you didn't request a password reset, ignore the email. If you're concerned, go directly to paypal.com, log in normally, and change your password from Settings.
5. Shipping Confirmation for Something You Didn't Buy
From: PayPal <receipt@paypal-transactions.net>
Subject: Your payment of $279.00 to CryptoMart has shipped
Your item has been shipped! Tracking details are available below.
Item: Ledger Nano X Hardware Wallet
Amount: $279.00
Shipping to: [Address in another state]
If you didn't make this purchase, report it immediately.
Report Unauthorized Transaction →
The scam: The specific product details and shipping to an unknown address create panic. The "report" link leads to a phishing page. Some variants include a phone number to call instead.
6. "You've Received Money" Notification
From: PayPal <notification@service-paypal.com>
Subject: You've received $750.00
Good news! John M. sent you $750.00. The money is pending in your account.
Accept Payment →
The scam: Greed overrides caution. You click to "accept" the payment and end up on a phishing page. Real PayPal payments don't require you to click an email link to accept them — the money appears in your account automatically.
How to Verify Any PayPal Email
- Check the sender's actual email address. Legitimate PayPal emails come exclusively from
@paypal.com. Not@paypa1.com, not@paypal-service.com, not@service-paypal.net. - Log in to PayPal directly. Open a new tab, type
paypal.com, and log in. Check your Activity for the transaction in question. If it doesn't exist in your Activity, the email is fake. - PayPal uses your name. Legitimate PayPal emails address you by your first and last name. "Dear Customer" or "Dear PayPal User" is a red flag.
- Hover over links. Every link in a real PayPal email points to
paypal.com. No subdomains on other sites, no redirects, no URL shorteners. - Forward suspicious emails to PayPal. Send them to
spoof@paypal.comand PayPal's security team will analyze them.
Special Case: Scams Sent Through PayPal's System
The fake invoice scam (variant #3 above) is uniquely dangerous because the email legitimately comes from PayPal's servers. To handle these:
- Never call phone numbers listed in unexpected invoices
- Log in to PayPal, go to your Activity, and report/decline the invoice directly
- PayPal invoices require your explicit approval before any money is sent — you won't be charged automatically
PayPal Scams Beyond Email
PayPal scams now extend beyond traditional phishing emails into other channels:
Phone Call Scams
Automated calls claiming "there has been suspicious activity on your PayPal account — press 1 to speak with security." The "security agent" asks for your login credentials, asks you to read back verification codes (which gives them access to your account), or directs you to install remote access software.
PayPal's actual policy: PayPal will never call you and ask for your password, financial information, or verification codes over the phone. If you're concerned, hang up and call PayPal directly at the number on their website.
Text Message Scams
SMS messages like: "PayPal: Your account has been limited. Verify at paypal-secure-verify.com" or "PayPal: You sent $425.00 to John D. Not you? Call 1-800-XXX-XXXX."
PayPal does send legitimate text alerts, but only if you've opted in through your account settings. Legitimate PayPal texts never include links to non-PayPal domains or phone numbers that differ from PayPal's official customer service line.
Overpayment Scams on Marketplaces
If you sell items online, be aware of this PayPal-adjacent scam: a buyer "accidentally" sends you more than the asking price via PayPal, then asks you to refund the difference. The original payment was made with a stolen card or hacked account. When the real account owner disputes the charge, PayPal reverses the entire payment — but the "difference" you sent back is gone for good.
How to avoid: Never refund overpayments by sending money separately. If someone overpays, cancel the entire transaction and ask them to send the correct amount.
Securing Your PayPal Account Proactively
Don't wait until you're phished to lock down your PayPal account. Take these steps now:
- Enable two-factor authentication. Go to Settings → Security → 2-step verification. Use an authenticator app rather than SMS when possible.
- Set up login notifications. PayPal can email you every time your account is accessed from a new device or location.
- Use a unique, strong password. Your PayPal password should not be used on any other site. Use a password manager to generate and store it.
- Review linked accounts regularly. Check Settings → Money → Banks and cards. Remove any payment methods you no longer use.
- Check authorized apps and subscriptions. Go to Settings → Money → Automatic payments. Revoke access for any services you don't recognize or no longer use.
- Set up transaction notifications. Enable email or push notifications for every transaction so you're immediately aware of unauthorized activity.
What to Do If You've Been Phished
- Change your PayPal password immediately — go directly to
paypal.com, don't use any links from the email - Enable two-factor authentication in Settings → Security
- Check your recent Activity for unauthorized transactions
- Review linked bank accounts and cards — remove any you don't recognize
- Call PayPal's fraud department at 1-888-221-1161 to report the compromise
- Contact your bank if any linked accounts show unauthorized activity
For any PayPal email you're uncertain about, copy the content into IsThisAScam for a quick analysis. The tool recognizes PayPal phishing patterns and will tell you exactly what red flags are present and whether the email is safe to act on.
Got a suspicious PayPal email? Check it now for free →