A sophisticated phishing campaign targeting PayPal users has emerged, leveraging the platform’s own email system to bypass conventional security measures. Unlike traditional scams reliant on forged sender addresses or poorly crafted messages, this attack exploits PayPal’s legitimate communication channels. Emails originating from the authenticated address ‘service@paypal.com’ notify recipients of unauthorized changes to their accounts, such as the addition of a new gift address or high-value purchases like a MacBook M4. These alerts, while appearing genuine, are orchestrated by threat actors who manipulate PayPal’s features to generate authentic notifications.
The attackers’ method involves adding a gift address to a compromised PayPal account, triggering an automated confirmation email from PayPal. This message is then intercepted and altered by forwarding it through a series of intermediary accounts, including a Microsoft 365 mailing list, to distribute the phishing email to victims. Because the emails originate from PayPal’s servers, they evade spam filters and authentication checks, heightening their credibility.
The final phase of the attack relies on social engineering: recipients are urged to contact a fraudulent customer support number provided in the email. To mitigate risks, users are advised to independently verify account activity by logging directly into PayPal via a trusted bookmark or app—not through email links—and to cross-reference any suspicious claims. Crucially, PayPal’s official support contact details, accessible within the user’s secure account portal, should be the sole source for assistance. By circumventing the scam’s prompts and proactively monitoring account changes, users can thwart the attack despite its technical sophistication.