PayPal user beware - experts warn subscriptions being abused to send fake purchase emails

• Scammers are abusing PayPal’s Subscriptions feature to inject phishing messages into legitimate PayPal emails
• A manipulated customer‑service URL and a forwarding Google Workspace list spread the fake notices widely
• PayPal says it’s mitigating the issue and urges users to treat unexpected subscription emails with caution

Scammers are using PayPal’s “Subscriptions” feature to send convincing phishing emails and trick users into giving away access to their accounts on the platform.

Subscriptions is a feature that lets businesses charge customers automatically on a regular schedule. Customers sign up once and agree to recurring payments, which PayPal then processes automatically.

If the business terminates someone’s subscription, that person is notified via email that comes directly from PayPal’s servers and, as such, passes most email security scans.

Get Keeper's Personal Password Manager plan for just $1.67/month

Keeper is a password manager with top-notch security. It's fast, full-featured, and offers a robust web interface. The Personal Plan gets you unlimited password storage across all your devices, auto-login & autofill to save time, secure password sharing with trusted contacts, biometric login & 2FA for added security.

View Deal

Abusing mailing lists

So how do the scammers abuse this feature?

As BleepingComputer explains, the email includes a customer service URL which the crooks somehow managed to modify to include the phishing message. At this time, it is unknown how they achieved that, and it is speculated that they are either abusing a flaw in how PayPal handles subscription metadata, or using an API or a legacy platform.

The message contains phishing content we’re used to seeing in these scams - warning recipients that they’ve purchased an expensive item and that, if they want to cancel the order, they should call PayPal on the phone number provided in the message.

However, this still does not answer the question how the victims received this message, if they never subscribed to a particular business.

Apparently, the original email gets sent to just one address - "receipt3@bbcpaglomoonlight.studio". The researchers believe this is a Google Workspace mailing list that automatically forwards the email to all other group members which, in this case, are the victims.

“This forwarding can cause all subsequent SPF and DMARC checks to fail, since the email was forwarded by a server that was not the original sender,” the publication wrote.

PayPal was notified about the abuse, and it confirmed to currently be working on a fix:

“PayPal does not tolerate fraudulent activity, and we work hard to protect our customers from consistently evolving phishing scams," PayPal told TechRadar Pro.

"We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance."

The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.