Scammers are exploiting PayPal’s address settings to send phishing emails that appear legitimate, tricking users into thinking their accounts have been compromised.
According to a new report from BleepingComputer, users have been complaining for more than a month of receiving emails from PayPal confirming a newly added shipping address.
“You added a new address. This is just a quick confirmation that you added an address in your PayPal account,” reads the scam email.
These messages, sent from PayPal’s official address, “[email protected]”, claim that a MacBook M4 purchase has been linked to the recipient’s account and ask them to call a support number if they did not authorize the transaction.
“Confirmation: Your shipping address for the MacBook M4 Max 1 TB ($1098.95) has been changed. If you did not authorize this update, please reach out to PayPal at +1-888-668-2508′,” it further adds.
Despite their appearance, these emails are fraudulent. Many recipients, including those without PayPal accounts, have confirmed that no addresses were actually added.
Scammers leverage PayPal’s legitimate email infrastructure (“[email protected]”), allowing these messages to bypass security and spam filters. Not only this, it causes people to be concerned that their account was hacked.
How The Scam Works
The emails are designed to mislead recipients into thinking their PayPal account was hacked to make a MacBook purchase, pressuring them to contact a scammer’s “PayPal support” number.
When a victim calls the fake support number, they hear an automated message claiming to be PayPal customer service and are asked to hold while a support person becomes available. The call then connects the recipient to a supposed “customer support” representative.
The scammer attempts to scare the victim into believing their account has been hacked and persuades them to download remote access software to secure their accounts and prevent the supposed transaction.
If installed, the software grants scammers control over the victim’s device, potentially leading to financial theft, data breaches, or malware infections.
According to BleepingComputer, who tested the scam scheme, it exploits PayPal’s “gift address” feature, which allows users to add secondary addresses to their accounts.
Scammers insert their phishing message into the address field, triggering PayPal’s system to send a confirmation email containing the fraudulent purchase details. They then use a mailing list trick to distribute the message to numerous targets.
How To Protect Yourself
If you receive a legitimate email from PayPal about an unauthorized address change with a suspicious purchase confirmation, do not contact the listed number.
Instead, log into your PayPal account directly to verify any changes. If everything appears normal, ignore and delete the email.
Such scams in PayPal are possible, as there is no restriction on the number of characters one can add to the address form fields.
To fix this, PayPal must implement stricter character limits on address fields to prevent threat actors from injecting deceptive scam messages.
PayPal has yet to comment on the report.
