{“lastseen”:”2026-04-30T20:05:09″,”description”:”Scammers have found another way to get deceptive messages delivered through PayPal\u2019s legitimate services.\\n\\nIn December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.\\n\\nIn those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal\u2019s genuine \u201cYour automatic payment is no longer active\u201d notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members.\\n\\nRecently, ConsumerWorld.org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.\\n\\nThis is a screenshot of the example they sent us.\\n\\nScreenshot email from PayPal scammers\\n\\nAs you can see, the email comes from service@paypal.com. It wasn’t spoofed, which means it passes standard security checks (DKIM, SPF, DMARC).\\n\\nWhile the body of the email says that you received a payment of \u00a51 JPY (a whopping $0.0063), the subject line tells a different story:\\n\\n\\u003e \u201cPending charge of USD 987.90 for account activation. Questions? Call-(888) 607-0685.\u201d\\n\\nAs an extra bonus for the scammers, the email contains personalized details\u2014the recipient’s actual name and a real transaction ID.\\n\\nThe number in the subject line is not PayPal\u2019s. The legitimate contact number appears inside the email.\\n\\nThe fake (red) and the real (green) PayPal number\\n\\n* * *\\n\\n\\n\\n### Scam or legit? Scam Guard knows.\\n\\nTRY IT NOW\\n\\n* * *\\n\\nThe intention of the email is straightforward.\\n\\nRecipients think:\\n\\n 1. \\”Oh no! There’s a pending charge for $987.90.\\”\\n 2. \\”The amount doesn’t match what I see in the email body\u2014that’s weird and scary.\\”\\n 3. \\”I need to call this number immediately to dispute this charge.\\”\\n\\n\\n\\nThey call the number in the subject line, only to reach tech support scammers.\\n\\nThese scammers pretend to be PayPal support and may try to:\\n\\n * Get you to \\”verify\\” payment methods\\n * Collect banking details\\n * Convince you to install remote access tools\\n * Take control of accounts or devices\\n * All of the above\\n\\n\\n\\n\\nHow the subject line is altered is still unclear. Based on PayPal\u2019s documented email behavior, subject lines are typically fixed and not meant to include arbitrary free text or phone numbers. Our findings indicate that the subject line was already weaponized at the point PayPal’s systems signed the email. If someone along the way had rewritten the subject, the `dkim=pass header.d=paypal.com` result would likely fail.\\n\\nOne possibility is that the scammer abused PayPal\u2019s note or remittance field in a way that surfaces in certain payout templates, including the subject line and HTML `\\u003ctitle\\u003e`, even though normal merchant payment\u2011received emails don\u2019t allow arbitrary subjects.\\n\\nThe title tag matches the subject line of the email\\n\\nWe have contacted PayPal for comment and will update this post if we hear back.\\n\\n## How to avoid PayPal scams\\n\\nThe best way to stay safe is to stay informed about the tricks scammers use. Learn to spot the red flags that almost always give away scams and phishing emails, and remember:\\n\\n * **Use verified, official ways to contact companies. **Don\u2019t call numbers listed in suspicious emails or attachments.\\n * **Beware of someone wanting to connect to your computer remotely. **One of the tech support scammer\u2019s biggest weapons is their ability to connect remotely to their victims. If they do this, they essentially have total access to all of your files and folders.\\n * **Report suspicious emails to PayPal.** Send the email to `phishing@paypal.com` to support their investigations.\\n\\n\\n\\nIf you\u2019ve fallen victim to a tech support scam:\\n\\n * **Paid the scammer?** Contact your bank or card provider and let them know what\u2019s happened. You can also file a complaint with the FTC or your local law enforcement, depending on your region.\\n * **Shared a password?** Change it anywhere it\u2019s used. Consider using a password manager and enable 2FA for important accounts.\\n * **Gave access to your device?** Run a full security scan. If scammers had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove these and other software left behind by scammers.\\n * **Watch your accounts: **Keep an eye out for unexpected payments or suspicious charges on your credit cards and bank accounts.\\n * **Be wary of suspicious emails. **If you\u2019ve fallen for one scam, they may target you again.\\n\\n\\n\\nPro tip: **Malwarebytes Scam Guard recognized this email as a call back scam. **Upload any suspicious text, emails, attachments, and other files to ask for its opinion. It\u2019s really very good at recognizing scams. \\n\\n* * *\\n\\n### **Something feel off? Check it before you click. ** \\n\\n**Malwarebytes Scam Guard** helps you analyze suspicious links, texts, and screenshots instantly. \\n\\nAvailable with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android. \\n\\nTry it free \u2192”,”published”:”2026-04-30T19:29:36″,”modified”:”2026-04-30T19:29:36″,”type”:”malwarebytes”,”title”:”More PayPal emails hijacked to deliver tech support scams”,”source”:””,”references”:””,”id”:”MALWAREBYTES:E60C08546B4FE5604808A25B98C6D446″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/04\/more-paypal-emails-hijacked-to-deliver-tech-support-scams”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-30T20:05:09″,”description”:”Scammers have found another way to get deceptive messages delivered through PayPal\u2019s legitimate services.\\n\\nIn December 2025, we reported that PayPal closed a loophole that let…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-50530","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n