PayPal Subscription Scam: Beware of Fake Purchase Emails

Email scams have become a prevalent issue in recent times, with scammers using various tactics to deceive unsuspecting individuals. One such scam involves the abuse of PayPal’s “Subscriptions” billing feature to send fraudulent emails that appear legitimate at first glance. These emails contain fake purchase notifications embedded in the Customer service URL field, tricking recipients into believing that they have made expensive purchases.

Reports have surfaced of individuals receiving emails from PayPal stating that their automatic payment is no longer active. The emails include a customer service URL field that has been tampered with to display false information about costly items purchased, such as Sony devices, MacBooks, or iPhones. The text in the URL field contains a domain name, a message indicating a payment of $1,300 to $1,600, and a phone number for cancelling or disputing the payment. To evade spam filters and keyword detection, the text is filled with Unicode characters that create bold or unusual fonts.

Despite being clear scams, these emails are sent directly from PayPal’s official email address, “service@paypal.com,” causing recipients to fear that their accounts have been compromised. Moreover, since the emails originate from legitimate PayPal servers, they bypass security and spam filters, making them even more deceptive. The ultimate goal of these scams is to prompt recipients to call the scammer’s fake “PayPal support” phone number, where they may fall victim to bank fraud or malware installation.

If you receive an email from PayPal claiming that your automatic payment is no longer active and it includes a suspicious purchase confirmation, it is crucial to ignore the email and refrain from calling the provided number. Instead, log in to your PayPal account to verify any unauthorized charges. It is essential to remain vigilant and cautious when dealing with such emails to protect yourself from falling prey to fraudulent activities.

The mechanics behind this PayPal scam involve exploiting a flaw in PayPal’s handling of subscription metadata, allowing scammers to manipulate the Customer service URL field with false information. By pausing a subscriber’s subscription, scammers can trigger automated emails from PayPal notifying the subscriber of the inactive payment. Although PayPal’s system typically restricts changes to the Customer service URL field to URLs only, scammers may be using undisclosed methods or vulnerabilities to bypass these restrictions.

While the exact method of delivering these scam emails to unsuspecting individuals remains unclear, it appears that scammers may be leveraging a fake subscriber account linked to a Google Workspace mailing list. This account forwards scam emails to targeted individuals, causing SPF and DMARC checks to fail due to the email being forwarded by a server different from the original sender. In response to these fraudulent activities, PayPal has stated that they are actively working to mitigate the method used to send these scam emails.

In conclusion, it is essential to exercise caution and skepticism when dealing with unexpected emails, especially those related to financial transactions. If you suspect that you have received a fraudulent email, it is advisable to contact PayPal directly through their official channels for assistance. By remaining vigilant and informed, individuals can protect themselves from falling victim to sophisticated email scams like the one described above.