A New PayPal Scam Shows How Legitimate Infrastructure Is Becoming the Attack Surface

An unusual PayPal scam is highlighting how attackers increasingly rely on trusted platforms rather than obvious forgeries to slip past both technical defenses and human suspicion.

Over the past several weeks, security researchers and users have observed phishing campaigns that exploit PayPal’s own subscription and notification systems to deliver emails that look entirely legitimate. The messages arrive from PayPal’s real infrastructure, use authentic templates, and land directly in inboxes that would normally filter out obvious fraud. To recipients, the emails appear to confirm the purchase of an expensive device and urge them to call a phone number to dispute the charge.

The trick works because the message itself is real, even if the content embedded inside it is not. By abusing metadata fields tied to PayPal subscriptions, attackers can insert alarming text that masquerades as a transaction notice. The goal is not to steal login credentials directly, but to push victims into calling a fake support number where social engineering takes over. Similar phone based scams have historically been used to extract banking details or persuade users to install remote access malware.

What makes this campaign notable is its relationship with email authentication. In many cases, the initial messages originate from PayPal’s servers and appear trustworthy at a glance. But once forwarded through mailing lists or other infrastructure controlled by the attacker, the emails can fail certain authentication checks. That nuance is invisible to most users, yet critical for defenders.

“It is notable that while this attack abuses legitimate infrastructure to bypass many authentication methods, in its current form it still fails SPF and DMARC checks. Although normal users cannot be expected to know what those are, it is still important for

organizations to automatically add banners to emails stating that they failed some form of authentication check. Constant vigilance and skepticism of all emails regardless of source is important as this is not the first time that legitimate infrastructure has been abused to send emails that appear legitimate but can lead to compromise,” said Max Gannon, Cyber Intelligence Team Manager at Cofense.

The broader lesson is uncomfortable but clear. As platforms like PayPal harden their defenses, attackers increasingly look for cracks in business logic rather than outright technical vulnerabilities. Instead of spoofing domains, they piggyback on systems designed to communicate with customers at scale. The result is a message that passes the eye test and often reaches users before security teams can react.

PayPal has acknowledged the issue and says it is actively mitigating the technique being used to generate these emails. For now, security experts advise users to avoid calling phone numbers embedded in unexpected billing messages and to verify account activity by logging into PayPal directly through the official app or website.

For organizations, the incident underscores the importance of layered defenses that combine technical signals with clear user warnings. When even legitimate emails can be weaponized, trust alone is no longer a reliable security control.