What the scam looks like

The email shows the PayPal blue logo, a subject line like "Action required: verify your account" or "Important: unusual activity detected," and a button labeled "Verify Now" or "Resolve Issue." The button leads to a fake PayPal login page that captures your email and password, then a "verification" form that asks for your name, address, date of birth, full credit card or bank account number, security code, and sometimes a Social Security number. The attacker uses the stolen data either to drain the PayPal balance, open lines of credit, or sell the full identity bundle on a dark-web marketplace for $20 to $200 depending on completeness.

Real PayPal emails are conservative. They say "log in to your PayPal account" and they link to paypal.com only. They never ask for your full Social Security number or full card details by email.

The 7 message variants in active rotation

1. Unusual activity

"We've detected unusual login activity on your PayPal account. To protect you, your account has been temporarily limited."

2. The fake payment received

"You received a payment of $487.50 from [random name]. To accept this payment, click here." The user clicks expecting to grab the money, lands on the fake login.

3. The fake payment sent

"You authorized a payment of $899 to [some company]. If you did not authorize this, click here to cancel." Counterpart to variant 2, exploits panic instead of greed.

4. The verification deadline

"Your PayPal account will be limited in 48 hours unless you verify your information."

5. The new login alert

"A new device just signed in to your PayPal account from [random country]. If this was not you, secure your account."

6. The fake invoice

"You have a new invoice for $1,247.99 from [generic business name]. View invoice." Sometimes the invoice is sent through PayPal's actual system (PayPal invoicing is a real feature scammers abuse), making the email pass DMARC checks.

7. The refund offer

"We owe you a refund of $35.99 due to a billing error. Click here to receive your refund." The refund form asks for the card to refund to.

How to spot the fake in 10 seconds

  • Sender domain. Real PayPal sends from @paypal.com, @service.paypal.com, or @email.paypal.com. Anything else (like @paypal-secure.com, @paypal-account.support, @security-paypal.net) is a scam.
  • Link destination. The button must lead to paypal.com. paypal.com.verify.xyz is not PayPal. paypal-secure.xyz is not PayPal. Only paypal.com (with country variants like paypal.co.uk) is real.
  • Greeting. Real PayPal uses the first and last name on the account. "Dear PayPal Customer" or "Dear User" is fake.
  • Urgency. "48 hours" or "your account will be permanently limited" is pressure. Real PayPal limitation reviews take longer and never require you to click an email link.
  • Asks for SSN, card number, or bank password by email. Real PayPal never does. Ever.
  • Invoice from a name you don't recognize. Even if it came through PayPal's real invoicing system, just delete or report. Do not click "Pay now."

The 5-step verification

  1. Do not click the email button.
  2. Open a browser and type paypal.com manually. Or open the PayPal app on your phone.
  3. Sign in. If there is a real issue, PayPal shows a yellow or red banner on your dashboard.
  4. Check Wallet → Recent activity. Any transaction you do not recognize is reportable through the same interface.
  5. Check Settings → Security → Login history. Any unfamiliar device is a sign your account is compromised.

If you already entered your card or bank details

  1. Call your bank or open the bank app and freeze the card immediately.
  2. Order a replacement card with a new number.
  3. Change your PayPal password at paypal.com. Enable two-factor authentication.
  4. Sign out of all devices from Settings → Security.
  5. Review and report unauthorized PayPal transactions at paypal.com/disputes. PayPal's Purchase Protection often refunds these if reported within 180 days.
  6. If you gave Social Security number, place a fraud alert with one of the three US credit bureaus (Equifax, Experian, TransUnion). The alert is free and lasts 1 year.
  7. Report the phishing email to PayPal at spoof@paypal.com. Forward without modifying the email.
  8. If you used the same password elsewhere, change those too. Credential-stuffing attacks try the stolen password on Gmail, Amazon, bank logins, and crypto exchanges within hours.

Why PayPal phishing keeps working

Three structural reasons:

  • Real PayPal limitation reviews exist. If you sell on eBay or Etsy, you may have actually received a real PayPal limitation email at some point. Familiarity lowers suspicion.
  • PayPal's own invoicing system can be abused. Scammers send real PayPal invoices from PayPal's email infrastructure. The email passes SPF, DKIM, and DMARC because it actually is from PayPal. Only the invoice contents are scammy.
  • Linked bank accounts. Unlike credit cards (which have chargeback protection), bank account drains via PayPal can be harder to reverse if you authorize the transfer.

How browser-layer defense catches this earlier

Sender-side detection fails because the legitimate PayPal invoice system can deliver scam invoices that pass every email check. The defense that works is at the click destination. When you click "Pay invoice" and land on a fake login page that imitates PayPal but is actually paypal-account-verify.xyz, a browser-layer scanner can block the page before the form loads.

SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before the page renders. Its 550+ brand database includes PayPal. Install SafeBrowz free for protection across PayPal, Apple, Amazon, Netflix, Microsoft, your bank, and every other login you have.

Frequently asked questions

Does PayPal ever ask me to verify my account by email?

PayPal does send legitimate "verify your information" emails for tax compliance (Form 1099-K threshold), regulatory updates, or seller account reviews. The difference: real PayPal emails ask you to log in to paypal.com and complete verification inside your account. They never link to a third-party domain, and they never ask for SSN, bank password, or full card details by email.

I received an invoice through real PayPal that looks like a scam. Should I pay it?

Do not pay. PayPal's invoicing system is increasingly abused by scammers. Real PayPal invoices show up in your paypal.com account under Activity. Ignore the email button, log in directly, and decline the invoice from inside your account. Report the invoice as fraudulent within PayPal.

I entered email and password but PayPal asked for a 2FA code I didn't trigger. Did the attacker already log in?

Yes, almost certainly. The attacker triggered the 2FA prompt by attempting to sign in with your stolen credentials. Do not enter the code into the fake page. Change your PayPal password immediately and review login history.

PayPal Purchase Protection — does it cover phishing-induced authorized transfers?

Purchase Protection covers buyer-side issues with paid items. It does NOT cover transfers you authorized to a scammer (because they look like normal payments). If you sent money to a scammer through PayPal, your best path is to dispute via your linked bank or card under "fraudulent transaction" rather than through PayPal directly.

Should I close my PayPal account if I was phished?

Usually not necessary. After resetting the password, enabling 2FA, removing unfamiliar devices and linked cards, and disputing any unauthorized transactions, the account is generally safe to keep. Closing and reopening loses your transaction history and any open dispute cases.

How do I forward a PayPal phishing email so it gets taken down?

Forward to spoof@paypal.com without modifying anything. Do not change the subject. Do not edit the body. PayPal's security team uses the original headers to file domain takedowns with hosting providers and registrars.

Related reading

Bottom line: PayPal phishing keeps working because real PayPal limitation reviews look almost identical. The defense is the same as it has been for a decade. Do not click email buttons. Type paypal.com manually. Never give SSN, bank passwords, or full card details on a page you reached from an email. Add a browser-layer scanner like SafeBrowz for protection across every login.