Is [email protected] legit, or a scam?
Short answer: the sender is real. [email protected] is a genuine PayPal address, and the invoice email really does come from PayPal's own servers, which is exactly why it lands clean and looks trustworthy. The scam is the invoice itself: an unexpected charge for something you never bought, with a phone number to "call and cancel." The address is real. The charge is fake. Here is how to tell them apart and what to do.
Verdict: real PayPal sender, fake charge - do not pay, do not call
[email protected] is a real PayPal email address, and the invoice genuinely arrives from PayPal's own system. But an unexpected invoice or money request for a purchase you never made, often a roughly $500 Coinbase order or a Geek Squad or Norton "renewal," is a scam. Scammers abuse PayPal's invoicing to send you a real-looking bill with a phone number to "cancel" or "dispute." Do not pay it. Do not call the number in it. Verify the only safe way: open paypal.com or the app yourself and sign in. Your real account will show no such charge.
The Brief
This is the counterintuitive part, so read it slowly. The naive rule "the email is from PayPal's real address, so it is safe" is exactly the assumption this scam is built to exploit. Yes, [email protected] is the address PayPal really uses for invoices and money requests, and yes, the email passes every authentication check and lands in your inbox looking flawless. That is not because a scammer faked it. It is because a scammer used PayPal's own "send an invoice" feature to bill you. The sender is genuine. The charge inside it is not.
So the honest answer to "is [email protected] legit" is: the address is, but a given message from it is only as trustworthy as the charge it carries. An invoice you expected from someone you actually do business with is fine. An invoice for a ~$500 coinbase.com purchase you never made, or a Geek Squad or Norton renewal you never signed up for, is the scam, even though it came from real PayPal. The trap is not a website at all. It is a phone number written into the invoice, and the rule that beats it is the same one that beats the PayPal account verification email scam: never act from the message, verify on paypal.com yourself.
Why a real PayPal email can still be a scam
Most phishing relies on faking the sender. This one does not, and that is what makes it slip past people. PayPal lets any account holder create and send an invoice or request money from another email address. The scammer opens a PayPal account, builds an invoice for a fake purchase, and sends it to you. PayPal's system then mails it out from [email protected], with PayPal's real branding, real formatting, and valid authentication. Nothing about the envelope is forged, because nothing needs to be.
That means your usual checks fail here. The From line reads [email protected] because it genuinely is from PayPal. It is not in your spam folder, because it is legitimate mail. The links in it may even point to real paypal.com pages. None of that tells you the charge is real. The only thing that settles it is your actual account balance and activity, which the email cannot show you and the scammer cannot touch.
This is why the check further down never trusts the email. You do not read the invoice for clues, you do not call to "sort it out," and you do not click "pay" or "dispute" inside the message. You open PayPal on your own and let your real account tell you whether the charge exists. Spoiler: it does not.
What the scam invoice looks like
It arrives as a normal PayPal invoice or money request. The subject is something like "Invoice from Coinbase," "You have a money request," or "Receipt for your purchase." The amount is usually large enough to alarm you but not absurd, often around $499 to $750. The seller name is a brand you recognize, frequently coinbase.com for a fake crypto purchase, or a Geek Squad, Norton, or PayPal "support" name for a fake renewal or a fake refund.
The payload sits in the notes, memo, or seller fields, the parts the scammer controls. It reads close to this: "Your account was charged $499.00 for a Coinbase purchase. If you did not authorize this, call 1-888-XXX-XXXX within 24 hours to cancel." A phone number, a deadline, and a fake charge. That is the whole scam. There may be no malicious link at all, because the link is not the trap. The number is.
Call it and a "support agent" answers. They will sound calm and official. Then they steer you into the real damage: installing remote-access software so they can "reverse the charge," buying gift cards to "hold" the refund, or moving money out of your bank to "protect" it. It is the same machinery as the Geek Squad invoice scam and the Norton renewal scam, where the fake bill exists only to get you to dial. Here, PayPal's real invoicing just made the bait look more believable.
The phone number is the trap, not a website
Worth saying plainly, because it breaks the usual scam-spotting habit. In most phishing you hunt for a bad link or a lookalike domain. This scam often has neither. There is no fake paypal.com twin to catch, because the email is from the real PayPal. The dangerous artifact is a string like 1-888-XXX-XXXX (an illustrative placeholder, not a real number) sitting in the invoice notes, framed as "the number to call to cancel."
Treat any phone number printed inside an unexpected invoice as hostile. Real PayPal does not bury a "call this number to cancel" line in invoice notes, and it does not resolve disputes by phone calls you initiate from a bill. If you ever need PayPal support, you reach it from inside your account on paypal.com or the official app, never from a number an invoice handed you. The same "call this number" pressure drives the Apple security alert call-number scam and the broader fake invoice phone number scam.
Got a link in the message? Check it before you click
The PayPal invoice scam usually hides a phone number, not a link, so the safest move is to sign into paypal.com yourself. But if any message you receive does contain a link and you are unsure about it, paste it below first. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.
Real PayPal invoice vs. the scam: the deciding factor
Since the sender is genuinely PayPal in both cases, the deciding factor is whether you were expecting the charge and whether it shows up in your real account.
A real PayPal invoice or money request comes from someone you actually transact with, for an amount and a purchase you recognize, and it appears in your PayPal account activity when you log in yourself. You can review and act on it from inside the app or paypal.com without ever using a link or a number from the email.
A scam invoice is for a purchase you never made, names a brand to scare you, sets a short deadline, and pushes you to a phone number to "cancel" or "dispute." When you sign into paypal.com, there is no matching charge against your balance, because no real money moved. An invoice you ignore cannot take a cent from you. Only paying it, or calling and being talked into sending money, does that.
The 30-second check: sign into paypal.com yourself
This is the whole answer to "is this charge real." It works whether the email is genuine or a scam, because it never relies on the email.
- Do not call the number and do not click anything in the email. Not "cancel," not "dispute," not "pay." Leave the message where it is.
- Open a fresh tab or the PayPal app. Type paypal.com into the address bar yourself, or use a bookmark or the official app. Do not search and click an ad.
- Sign in normally and open your activity. If real money had left your account, you would see the transaction here, on the real site. Check your balance and recent activity.
- Look for the invoice under your money requests. An unpaid invoice from a stranger sits as a pending request you can simply cancel or report. It has not charged you, and it will not unless you pay it.
- No matching charge means nothing happened. The "purchase" was never real. Mark the invoice as a scam from inside PayPal and move on. Your money is untouched.
That is the rule for every "PayPal" charge, including anything from [email protected]: judge it on your real account, never on the email. The same approach is the core of our guide on the Coinbase account suspended scam email, which often pairs with these fake Coinbase invoices.
Red flags in the scam invoice
- A purchase you never made. A ~$500 Coinbase order, a Geek Squad or Norton renewal, an antivirus "auto-charge" you never signed up for. If you did not buy it, you do not owe it.
- A phone number to "call and cancel." Real PayPal does not put a "call this number to dispute" line in an invoice. A number in the notes is the trap, full stop.
- Urgency with a deadline. "Call within 24 hours or the charge goes through." The clock exists to stop you logging in and checking calmly.
- The brand is in the seller name, not the email. "Coinbase" or "Norton" appears as the invoice sender label, while the email itself is plain [email protected]. That mismatch is the abuse of PayPal's own invoicing.
- It asks you to "secure" or "move" your money. Once on the call, any instruction to install software, buy gift cards, or transfer funds to a "safe account" is the scam doing its real work.
- No matching charge in your real PayPal account. The deciding tell. If paypal.com shows no such transaction, the invoice is fake no matter how real the email looks.
What to do if you already called or paid
Move fast. The danger grows the further down the call you went.
- If you gave remote access, disconnect now. Turn off Wi-Fi, close the remote-access app, and uninstall it. Run a full security scan and change passwords from a different, clean device.
- If you paid the invoice, open a dispute in PayPal. Go to paypal.com by typing the address yourself, find the transaction, and report it through the Resolution Center as an unauthorized or scam charge.
- If you bought gift cards, contact the card issuer immediately. Report the cards as used in a scam and ask whether any balance can be frozen. Keep the cards and receipts.
- If you moved money from your bank, call your bank's fraud line. Use the number on the back of your card, report the transfer as fraud, and ask about recall options.
- Change your PayPal password and turn on 2FA. Do it from a clean device. Review linked cards, bank accounts, and authorized logins, and remove anything you do not recognize.
- Report it. Forward the scam email to [email protected], then file with the FTC and FBI as below.
How to report the scam
- Report it to PayPal. Forward the invoice email to [email protected], and report the request from inside your account so PayPal can act on the sending account.
- Report the scam to the FTC at reportfraud.ftc.gov. This feeds the consumer-protection data behind warnings like this one.
- In the US, report to the FBI Internet Crime Complaint Center at ic3.gov if you lost money or gave remote access.
- Delete the email after reporting. Do not call the number on the way out.
How SafeBrowz blocks this threat
Be honest about scope here, because this particular scam's trap is a phone number, and SafeBrowz scans links and pages, not the text of your email or the digits in an invoice. So the human rule is the primary defense: never call a number an invoice gives you, and verify by signing into paypal.com yourself. Where SafeBrowz does protect you is the next step. These scams often graduate into a fake PayPal or Coinbase login or payment page, "sign in here to dispute the charge." SafeBrowz's 3-layer engine (Local + APIs + AI) flags a fake PayPal or Coinbase login page, a brand name like PayPal or Coinbase sitting on a domain that is not paypal.com or coinbase.com, before you ever type a password, because it checks the domain against a 550+ brand database, not just a blocklist. That catches a brand-new lookalike the moment the scam tries to send you to one.
SafeBrowz works from a threat-intelligence methodology and an internal brand database. It does not collect or store your browsing history.
Install SafeBrowz free
Add the browser extension, or the SafeBrowz Android app, that checks every URL before it renders, on every page, against a 550+ brand database. Free forever, with optional Premium AI deep scan at $14.99 per year.
Add to Chrome
Add to Firefox
Add to Edge
Get it on Google Play
Frequently asked questions
Is [email protected] a real PayPal email?
Yes. [email protected] is a genuine PayPal address, and invoices and money requests really are sent from it by PayPal's own system. That is exactly why this scam works: a scammer uses PayPal's "send an invoice" feature to bill you, so the email arrives from the real PayPal with real branding and valid authentication. The sender being real does not make the charge real. Verify by signing into paypal.com yourself and checking your activity.
I got a PayPal invoice for a Coinbase purchase I never made. What do I do?
Do not pay it and do not call any number in it. The fake Coinbase invoice is a common version of this scam: a real PayPal email for a roughly $500 crypto purchase you never authorized, with a phone number to "cancel." Open paypal.com or the app yourself, sign in, and check your activity. There will be no matching charge, because no money moved. Cancel or report the invoice from inside PayPal and forward the email to [email protected].
Should I call the number in the PayPal invoice?
No. The phone number is the trap. Real PayPal does not put a "call to cancel" number in an invoice, and it does not resolve disputes through a call you start from a bill. Calling connects you to a scammer who will try to get you to install remote-access software, buy gift cards, or move money to "protect" it. If you need PayPal support, reach it only from inside your account on paypal.com or the official app, never from a number an invoice gave you.
How do I check if a PayPal charge is real?
Ignore the email entirely and check your real account. Type paypal.com yourself or open the official app, sign in, and look at your balance, activity, and money requests. A genuine charge shows up there. A scam invoice sits as a pending request from a stranger that has not taken any money and never will unless you pay it. If there is no matching charge in your account, the invoice is fake no matter how authentic the email looks.
The email passed all spam and security checks. Doesn't that mean it is safe?
No. The email passes authentication because it genuinely came from PayPal's servers, not because the charge is legitimate. A scammer used PayPal's own invoicing to send it, so there is nothing to fake and nothing for a spam filter to catch. Authentication tells you the message really is from PayPal. It does not tell you the invoice inside it is one you owe. Only your actual account activity settles that.
Is this the same as a Geek Squad or Norton renewal email?
It is the same family. Fake Geek Squad and Norton renewal "invoices" use an identical playbook: a real-looking bill for a subscription you never bought, plus a phone number to call and "cancel." The PayPal version just routes the bait through PayPal's real invoicing, which makes it look more credible. The rule is the same in all of them: do not call the number, do not pay, and verify directly with the real service. See our breakdowns of the Geek Squad and Norton versions for more.
Related SafeBrowz coverage
- PayPal account verification email scam: real or phishing?
- Geek Squad invoice scam email: the fake renewal that wants you to call
- Norton renewal scam email: the fake auto-charge and call-back trap
- Fake invoice phone number scam: why the number is the real bait
- Coinbase account suspended scam email
- Apple security alert text scam with a call-this-number trap
- Vishing guide: how phone-call scams social-engineer you
- I got scammed, what do I do now?
- Free SafeBrowz URL checker: test a suspicious link in 3 seconds
Bottom line: [email protected] is a real PayPal address, and the invoice really comes from PayPal, but an unexpected charge for a purchase you never made is a scam. Do not pay it, and never call the number written into it. Verify the only safe way: sign into paypal.com yourself, where no such charge exists. And because these scams often try to funnel you onto a fake PayPal or Coinbase login page next, put SafeBrowz on your browser so that fake page never loads before you type a password.