PayPal Subscription Feature Abused in Sophisticated Phishing Campaign
Published
Key Takeaways
- Legitimate origin: Scammers are exploiting PayPal's Subscriptions feature to send emails that originate from legitimate PayPal addresses, bypassing standard spam filters.
- Deceptive mechanics: They modify the "Customer Service URL" field in subscription cancellations to display fraudulent purchase notifications and fake support numbers.
- Platform response: PayPal acknowledged the issue and is actively implementing mitigation strategies.
A new wave of cybersecurity threats has emerged involving the abuse of PayPal's legitimate infrastructure to conduct sophisticated phishing attacks. A PayPal subscription scam utilizes the platform's "Subscriptions" billing feature to send authentic-looking emails that evade traditional security detection.
Unlike typical phishing attempts that spoof sender addresses, these emails are technically sent by PayPal's own servers (e.g., [email protected]), ensuring they pass SPF and DKIM authentication checks and land directly in the victim's inbox.
Mechanics of the Fake Purchase Emails
The core of the scam lies in the manipulation of the Customer Service URL field within PayPal's system. When a merchant pauses a subscription, the company automatically notifies the user.
Scammers seem to be creating fake subscriber accounts and triggering this notification. They may be exploiting a subscription metadata handling flaw or using a method that allows invalid text to be stored in the Customer service URL field, a BleepingComputer report said.
As per the email headers, PayPal is sending the email to "[email protected]," which could be a Google Workspace mailing list automatically forwarding emails to all other group members – possibly people the scammer is targeting.
The message typically claims that a large payment, often for items like iPhones or MacBooks, has been processed. It includes a fake support phone number, urging the recipient to call to cancel the transaction.
By using legitimate fake purchase emails, scammers attempt to induce panic and trick victims into revealing sensitive financial information via phone calls.
PayPal's Mitigation and User Safety
PayPal has confirmed awareness of the issue and stated that they are taking steps to mitigate the specific method used to generate these messages. The company emphasizes that it does not tolerate fraudulent activity. Users are advised to remain vigilant against phishing tactics that rely on social engineering.
If a user receives an unexpected billing notification, the recommended course of action is to log in directly to the PayPal website or app to verify activity, rather than calling the numbers provided in the email or clicking on unverified links.
Recently, Scattered Lapsus$ Hunters were seen impersonating Zendesk in a phishing campaign aimed at stealing credentials. A July report warned that phishing attacks surged in 2025, impersonating banks and payment platforms.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular