Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

PayPal Subscription Scam: How Phishing Emails Bypass Your Inbox Security

Cybercriminals have found a way to send phishing emails from legitimate PayPal servers, bypassing spam filters and email security checks.

A New Kind of Email Threat

Security researchers have uncovered a sophisticated phishing campaign that exploits PayPal's legitimate email infrastructure. Unlike traditional phishing attempts that are often caught by spam filters, these malicious emails originate directly from PayPal's own mail servers, passing all standard email authentication checks.

According to ESET telemetry, over 4,000 attempts to target PayPal users were detected in the first half of 2025 alone. The Federal Trade Commission reports that PayPal was the third most impersonated company by scammers in 2024, and this new technique makes detection even harder.

How the Scam Works

The attack exploits PayPal's subscription feature in a clever way. Here's the technical breakdown:

  1. Scammers create a PayPal subscription and then pause it, which triggers PayPal's genuine "Your automatic payment is no longer active" notification
  2. They set up a fake subscriber account using a Google Workspace mailing list that automatically forwards emails to all group members
  3. The email arrives from service@paypal.com and passes DKIM and SPF security checks because it genuinely originates from PayPal's mx15.slc.paypal.com mail server

The emails typically claim you have an unauthorized subscription or purchase for a substantial amount, often hundreds of dollars. They include a fake customer service number that connects victims to fraudsters posing as PayPal support.

Illustration of PayPal phishing scam bypassing email security

Why This Bypasses Email Security

Traditional phishing emails fail basic security checks. Spam filters look for mismatched sender addresses, failed authentication, and suspicious domains. But this attack is different:

  • The sender address is legitimate because the email actually comes from PayPal
  • DKIM signatures verify because PayPal's servers signed the email
  • SPF checks pass because PayPal's mail servers are authorized senders
  • The email content is a real PayPal template with injected malicious details

This means Gmail, Outlook, and other email providers will trust these messages and deliver them straight to your inbox rather than spam.

The Real Danger: What Happens If You Call

The scam's goal is to get you to call the fake customer service number included in the email. When victims dial, they connect with fraudsters who:

  • Pose as PayPal support representatives
  • Request sensitive personal and financial information
  • Ask for remote access to your computer to "fix" the problem
  • Install malware or steal credentials while connected

The combination of a legitimate looking email and social engineering over the phone makes this attack particularly effective against users who panic when they see an unexpected charge.

PayPal's Response

After BleepingComputer's investigation brought this issue to light, PayPal has stated they are actively mitigating the vulnerability. "PayPal does not tolerate fraudulent activity and we work hard to protect our customers from consistently evolving phishing scams," the company said. "We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages."

However, until the fix is fully deployed, users should remain cautious of any unexpected PayPal notifications.

How to Protect Yourself

Here are essential steps to stay safe from this and similar scams:

  • Never call numbers from emails. Instead, log in directly to PayPal.com and check your account for any actual charges
  • Verify through official channels. Use the contact information on PayPal's official website, not from any email
  • Report suspicious emails. Forward them to phishing@paypal.com, then delete them
  • Enable two factor authentication on your PayPal account
  • Use email privacy tools that help you identify suspicious patterns in your inbox

While Gblock focuses on blocking tracking pixels rather than phishing, maintaining good email security hygiene goes hand in hand with protecting your privacy. Being aware of how attackers exploit legitimate services helps you stay one step ahead.

The Bigger Picture: Trust No Email Blindly

This PayPal scam illustrates a broader truth about email security: even messages from legitimate senders can be weaponized. Attackers are constantly finding new ways to exploit trusted infrastructure, whether through hijacked subscriptions, compromised accounts, or manipulated tracking systems.

The best defense is a skeptical mindset. Question unexpected emails, verify through official channels, and never let urgency override your judgment. When an email tries to create panic about money or security, that's often the first sign something is wrong.

Protect your inbox. Take control of your data. Gblock has you covered!