What Is the Latest PayPal Attack?
The latest PayPal attack has alarmed security analysts at KnowBe4, who report that cybercriminals are now sending fake invoices from legitimate PayPal email addresses.
Here’s how it unfolds:
-
You receive an official-looking PayPal invoice for a large purchase you never made.
-
The email includes a customer service number urging you to call immediately to dispute the charge.
-
That number connects you directly — not to PayPal — but to a scammer posing as PayPal support.
This attack type is known as a TOAD (Telephone-Oriented Attack Delivery) scam. It blends phishing, social engineering, and fear-based tactics to manipulate victims into surrendering their personal or financial data.
Related Reading:
For more insights on protecting your finances online, check our guide on Smart Freelancing Strategies for 2025.
How the PayPal “Do Not Pay, Do Not Phone” Scam Works
According to KnowBe4, the PayPal attack is deceptive because it comes from real PayPal infrastructure, meaning your inbox won’t flag it as spam.
🔹 The invoice is legitimate in appearance — logos, layout, sender address — all check out.
🔹 The attached document usually claims you’ve made a high-value purchase (e.g., $699 for crypto services or security software).
🔹 Victims panic and call the provided number to “dispute” the charge.
But that’s when the real hack begins. The so-called “agent” asks for access to your PayPal or bank account “to issue a refund,” tricking users into sharing login credentials, card numbers, or even making direct transfers.
Roger Grimes, CISO Advisor at KnowBe4, explains:
“Cybercriminals can send fraudulent invoices, fake refund messages, or even insert messages inside PayPal’s system. The email is real, but the purpose isn’t.”
Why This PayPal Attack Is So Dangerous
Unlike typical phishing emails that come from strange domains, this one passes authentication checks — because it’s actually sent through PayPal’s platform by a fraudulent merchant account.
That makes it harder for spam filters or antivirus systems to detect.
⚠️ Here’s why users fall for it:
-
It uses real PayPal branding and addresses.
-
The invoice looks completely genuine.
-
It creates urgency and fear of losing money.
-
It offers a “help line” — giving users a false sense of security.
PayPal’s Official Response
In an official statement to Forbes, PayPal confirmed awareness of the PayPal attack and stated:
“We do not tolerate fraudulent activity on our platform. If you receive an unexpected invoice or payment request, do not pay or respond. Instead, contact PayPal directly through the app or our official Contact Page.”
The company added that it uses advanced AI-based systems, manual reviews, and fraud detection technologies to identify suspicious activity.
Still, users are the last line of defense — your vigilance matters most.
How to Identify and Avoid the PayPal Invoice Scam
1️⃣ Check the source directly
Never click links or call numbers from suspicious emails. Instead, log in directly at paypal.com and verify your transaction history.
2️⃣ Look for emotional manipulation
If the message uses words like “urgent,” “immediate action,” or “your account is compromised,” be cautious — legitimate companies don’t pressure users.
3️⃣ Avoid attachments and PDFs
The TOAD scam often includes malicious invoices or receipts that may contain phishing links.
4️⃣ Verify via official PayPal support
Use the contact tools within the PayPal app or website — never an external number.
5️⃣ Report the scam
Forward suspicious emails to phishing@paypal.com to help PayPal block similar attacks.
Expert Insights: The Psychology Behind PayPal Scams
Security researchers point out that TOAD-style scams exploit the same psychological triggers as classic phishing: fear, urgency, and authority.
Hackers know that if you believe you’re talking to “PayPal Support,” you’re more likely to hand over information willingly.
KnowBe4 highlights that even trained users can fall for invoice-based phishing, especially when it appears legitimate. This shows that education alone isn’t enough — we need layered defense mechanisms.
What To Do If You Fell for the PayPal Attack
If you’ve already interacted with one of these fake invoices:
-
Change your PayPal password immediately.
-
Enable two-factor authentication (2FA) or, better yet, switch to a PayPal Passkey.
-
Contact your bank or card issuer to block unauthorized transactions.
-
Run a malware scan if you opened any attachments.
-
Report the incident to both PayPal and your financial institution.
External Resource:
PayPal Security Center – Smarter Than Scams Campaign
Comparison Table: Real vs Fake PayPal Invoice
| Feature | Real PayPal Invoice | Fake PayPal Invoice |
|---|---|---|
| Sender Address | service@paypal.com (verified) |
Often real, but from a scam account |
| Content | For your actual purchase | For an unknown or fake transaction |
| Contact Number | None included | Fake helpline provided |
| Link Destination | PayPal.com (https) | External phishing URL |
| Refund Request | Done through app | Done via phone or email scam |
Pros & Cons of PayPal’s Current Security System
Pros:
-
Strong fraud detection algorithms
-
Two-factor authentication support
-
Real-time transaction alerts
-
Works with consumer protection agencies
Cons:
-
Scam detection limited for internal invoices
-
Users must manually verify emails
-
Easy for scammers to create fake business accounts
-
Still vulnerable to TOAD-style attacks
FAQs about the PayPal Attack 2025
1️⃣ What is the “Do Not Pay, Do Not Phone” warning?
It’s PayPal’s official alert advising users not to respond or pay suspicious invoices sent via real PayPal emails.
2️⃣ Can PayPal detect these fake invoices automatically?
Not always — because the emails are technically genuine, coming from actual PayPal accounts.
3️⃣ How can I confirm if an invoice is real?
Log in directly to your PayPal account and check your “Activity” section — never click on links in the email.
4️⃣ What should I do if I called the fake number?
Disconnect immediately, block the number, and change all relevant passwords.
5️⃣ Why is this scam trending again in 2025?
Because cybercriminals adapt older scams with new delivery methods that bypass spam filters.
6️⃣ Is PayPal doing enough to stop it?
PayPal partners with organizations like the FTC and AARP, but detection remains a shared responsibility.
Conclusion
The PayPal Attack 2025 is a sharp reminder that even legitimate-looking emails can be fake. As scammers evolve, so must our awareness.
Always remember PayPal’s golden rule: “Do Not Pay. Do Not Phone.”
Instead, check your account directly, secure your passwords, and enable two-factor authentication today.
Want to stay ahead of digital scams?
👉 Read our latest guide on How to Secure Your Digital Payments in 2025.
Pingback: Google and Microsoft Password Warning 2025: Act Now Before It’s Too Late - faheemansari