That PayPal ‘Automatic Payment Status’ Email Is a Scam

Another PayPal phishing scam is circulating, this time with email notifications about recurring or automatic payments. The messages come from a legitimate PayPal address, allowing them to escape a few security filters and leave recipients worried that their accounts have been compromised, perhaps just enough to ignore obvious red flags and call back or send scammers.

I have personally been targeted by this scam with at least five separate emails, although all of them went straight to my spam folder. Here’s how scammers exploit PayPal settings to land in your inbox.

How the PayPal Scam Works

If you are targeted by this campaign, you may receive an email with the subject line “Your automatic payment status has changed” or “Recurring payment re-enabled.” The layout mimics a real PayPal notification and includes a message that a high payment is “successfully processed,” as well as a customer service email and phone number to contact PayPal support.

The email is full of red flags: it’s addressed to a random name (or, in one of the messages I received, “Hello update invoice”), has bad spelling and wonky formatting, and just doesn’t make any sense. You can easily spot oddities like bold text and Unicode characters, which BleepingComputer says is a trick used to bypass spam filters and keyword detection.

Credit: Emily Long

The problem lies in the sender field, because the email comes from the service.[at]paypal[dot]com, a legitimate PayPal address, and paypal.com is in the signed by field. As described by Malwarebytes Labs, this is likely an abuse of PayPal’s subscription billing functionality. If a merchant suspends a customer’s subscription, the user will receive an automatic email from PayPal informing them that their payment is no longer active. Scammers likely create fake subscriber accounts using Google Workspace mailing lists, so the automatically generated emails are sent to everyone on those lists. If you look at the “To:” field, you will see that the message is not actually addressed to your email address.

Exploiting these types of flaws to make phishing emails appear legitimate is a common tactic, and I’ve already covered several similar PayPal phishing campaigns this year. According to a statement provided to BleepingComputer, PayPal is working to mitigate this specific flaw.

Ignore PayPal payment notifications

If one of these PayPal messages arrives in your inbox, do not respond to them. Scammers frequently use emails, texts, and calls regarding your account security and financial transactions to scare you into action, and impersonating trusted institutions is often quite convincing.

If you’re concerned about activity on your PayPal account, go directly to the app or website and log in to view alerts and check transactions. Do not use contact information or click any links in the original notification, as this increases the risk of compromising your information or downloading malware to your device.