PayPal users have been warned of a new phishing campaign in which cybercriminals send fake invoices from genuine PayPal email addresses, prompting recipients to call fraudulent phone numbers or provide personal information.
PayPal itself has issued a “do not pay, do not phone” warning, advising customers to remain vigilant against the evolving threat.
Gmail users have recently faced a wave of image based attacks, while TikTok users were confronted with a fake VIP upgrade offer, and LastPass cautioned users not to change their master passwords in response to circulating “you’ve been hacked” emails.
The latest threat targets PayPal account holders with an invoice scam, according to cybersecurity firm KnowBe4.
“You receive an email from a real PayPal email address containing an invoice for a purchase you did not make,” said Roger Grimes, Chief Information Security Advisor at KnowBe4.
“The email includes a phone number to dispute the charge, but calling it connects you to a fraudster, not PayPal.” The attack is classified as a Telephone Oriented Attack Delivery, or TOAD, in which scammers use PDF invoices and urgent messaging to exploit fear of financial loss.
KnowBe4 explained that attackers create a PayPal account and send a legitimate looking invoice. “The email is genuine, but the invoice is fraudulent,” Grimes said.
If victims call the number in the email, the caller reaches someone impersonating PayPal support who attempts to collect credit card details or charge a fee to resolve a nonexistent problem.
PayPal representatives confirmed that the company is aware of the campaign and is taking proactive steps to prevent fraud.
“We continuously monitor and investigate suspicious activity to protect our customers,” a PayPal spokesperson said.
“Our security measures include restricting scam accounts, declining risky transactions, and leveraging both technology and manual review to identify potential threats.”
Experts note that this type of phishing scam is not new, but its persistence underscores the challenges of combating fraud even with established security systems.
Security specialists advise users to avoid paying invoices or responding to suspicious messages, even if they appear to come from a legitimate source.
Do not click links, open attachments, or call any numbers included in unsolicited PayPal emails, said Grimes. “Check your account directly through the official website to verify transactions instead of relying on email notifications.”
According to a 2024 report from the Anti Phishing Working Group, nearly 2.5 million phishing emails targeting financial services were recorded, with PayPal accounting for approximately 20 percent of reported cases.
Experts say the scale of these attacks highlights the importance of personal vigilance. Users affected by similar scams shared their experiences, underscoring the human impact of such fraud attempts.
“I got a PayPal invoice for five hundred dollars that I never made,” said Sarah Mitchell, a small business owner in Dallas. “It looked official, and the phone number seemed legitimate. Luckily, I double checked my account before calling and avoided losing money.”
John Rivera, a freelance graphic designer in Miami, said he initially panicked when he saw the invoice. “It was alarming because the email came from an address ending with @paypal.com. I almost called the number before my colleague warned me,” he said.
While PayPal remains one of the most frequently targeted platforms, similar scams have appeared across multiple online services. For instance, banking institutions and e-commerce platforms report phishing attempts mimicking legitimate notifications.
According to the FBI’s Internet Crime Complaint Center, losses from email based scams in 2024 exceeded three hundred million dollars in the United States alone. PayPal has pledged to strengthen its defenses and educate users about identifying fraudulent communications.
Security analysts suggest that users continue practicing caution and rely on official channels to verify account activity. “These scams evolve rapidly, but awareness and proper verification can prevent financial loss,” Grimes said.
With phishing campaigns growing increasingly sophisticated, cybersecurity experts emphasize that vigilance remains the most effective protection.
Users are encouraged to report suspicious messages to PayPal directly and refrain from engaging with unsolicited requests. The PayPal scam alert serves as a reminder that even legitimate looking emails can conceal fraud.
Experts stress that avoiding links, phone numbers, and attachments in suspicious messages, combined with direct verification of account activity, is the safest approach. As attacks continue to evolve, both companies and users play a role in mitigating risk.