A new email scam is misusing PayPal’s Subscriptions billing system to send genuine PayPal emails that contain fraudulent purchase claims hidden inside the Customer Service URL field.
Over the last few months, multiple users have reported receiving PayPal emails stating, "Your automatic payment is no longer active." While the message appears routine, the Customer Service URL field has been manipulated to display alarming text claiming the recipient bought an expensive product such as a Sony device, MacBook, or iPhone.
The embedded message typically mentions a payment ranging between $1,300 and $1,600, includes a suspicious domain name, and provides a phone number that victims are urged to call to cancel or dispute the charge. Scammers use Unicode characters to alter fonts and emphasize certain words, a technique designed to bypass spam filters and keyword detection systems.
"http://[domain] [domain] A payment of $1346.99 has been successfully processed. For cancel and inquiries, Contact PayPal support at +1-805-500-6377," reads the customer service URL in the scam email.
Although the content is fraudulent, the emails are sent directly from service@paypal.com
, which causes confusion and concern among recipients who fear their PayPal accounts may have been compromised. Because the messages originate from PayPal’s legitimate mail servers, they often bypass spam and security filters.
The primary objective of this scam is to frighten recipients into believing their account was used to make a costly purchase, prompting them to call the fake “PayPal support” number. Such calls are typically used to carry out bank fraud or persuade victims to install malicious software on their devices.
Users who receive these emails are advised not to call the listed number. If there is concern about account security, the safest approach is to log in directly to PayPal and verify whether any unauthorized transaction has occurred.
How the PayPal scam works
BleepingComputer reviewed a copy of the email and confirmed that it was sent from PayPal’s official infrastructure. Email headers show that the messages pass SPF, DKIM, and DMARC checks and originate from PayPal’s mx15.slc.paypal.com mail server.
Further investigation revealed that the same email template can be triggered by using PayPal’s Subscriptions feature. This tool allows merchants to set up recurring billing for services. When a subscription is paused, PayPal automatically sends the subscriber an email stating that their automatic payment is no longer active.
Under normal circumstances, PayPal restricts the Customer Service URL field to valid URLs only. However, in this case, scammers appear to be exploiting a weakness in how subscription metadata is handled or using an alternative method—possibly via an API or legacy system—that permits invalid text to be stored in that field.
What remains unclear is how these emails reach individuals who never signed up for the subscription. Mail headers indicate that PayPal sends the message to an address believed to belong to a fake subscriber account created by the scammer. This address is likely linked to a Google Workspace mailing list, which automatically forwards the email to all its members—the intended victims.
Such forwarding can cause later SPF and DMARC checks to fail, since the message is relayed by servers other than PayPal’s original mail system.
PayPal has acknowledged the issue and confirmed that action is being taken.
“PayPal does not tolerate fraudulent activity and we work hard to protect our customers from consistently evolving phishing scams," PayPal told BleepingComputer.
"We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance."
