PayPal Subscription Abuse Scam: Fake Purchase Emails

December 15, 2025 Faeem BLOGS 0

A new scam is exploiting PayPal’s Subscriptions billing feature to send legitimate PayPal emails that contain fake purchase notifications, tricking recipients into believing they bought expensive items.

How the Scam Works

  • Email content:
    • Subject: “Your automatic payment is no longer active.”
    • Customer Service URL field modified to include fake purchase details (e.g., $1,300–$1,600 for a MacBook, iPhone, or Sony device).
    • Includes a phone number for “PayPal support” to cancel or dispute the charge.
    • Unicode characters used to evade spam filters and keyword detection.
  • Legitimacy illusion:
    • Emails are sent directly from service@paypal.com.
    • Pass DKIM, SPF, and DMARC checks.
    • Originate from PayPal’s own mail server (mx15.slc.paypal.com).
  • Mechanism:
    • Scammers exploit the Subscriptions feature by pausing a subscriber.
    • PayPal automatically sends a “payment inactive” email.
    • Customer Service URL field is abused to embed fake purchase text.
    • Likely using a flaw in metadata handling or an API/legacy platform to bypass URL validation.
  • Distribution trick:
    • Emails sent to a fake subscriber address (receipt3@bbcpaglomoonlight.studio).
    • This address is tied to a Google Workspace mailing list, forwarding the scam email to multiple victims.
    • Forwarding causes SPF/DMARC checks to fail downstream, but the original email still appears legitimate.

Scam Goal

  • Trick recipients into calling the fake “PayPal support” number.
  • Once on the call, scammers attempt:
    • Bank fraud (convincing victims to transfer funds).
    • Malware installation (remote access tools disguised as support software).

What You Should Do

  • Ignore the email: Do not call the number.
  • Verify your account: Log in to PayPal directly to confirm no charges.
  • Report suspicious activity: Use the PayPal app or official Contact page.
  • Stay vigilant: Even legitimate-looking emails can be weaponized.

PayPal’s Response

  • Confirmed they are mitigating the method used to send these scam emails.
  • Reiterated: “PayPal does not tolerate fraudulent activity… we encourage people to be vigilant and mindful of unexpected messages.”

This scam is particularly dangerous because it abuses PayPal’s own infrastructure, making the emails look authentic and bypassing traditional spam defenses.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.