A new phishing scam is exploiting PayPal’s address settings to send fraudulent purchase confirmations, tricking users into contacting scammers who attempt to gain remote access to their devices.
How the PayPal Email Scam Works
For the past month, numerous PayPal users have received emails with the subject line: “You added a new address.” The message confirms an address update and includes a fake purchase confirmation for a MacBook M4, urging recipients to call a provided number if they did not authorize the transaction.
The scam email typically states:
“Confirmation: Your shipping address for the MacBook M4 Max 1TB ($1,098.95) has been changed. If you did not authorize this update, please reach out to PayPal at +1-888-668-2508.”
These emails originate directly from [email protected], leading many recipients to believe their account has been compromised. However, recipients who checked their PayPal accounts found that no new addresses had been added. In some cases, the emails were even sent to users without a PayPal account.
Why These Phishing Emails Bypass Security Filters
Because these emails come from PayPal’s legitimate email server, they easily pass security and spam filters. The scammers exploit PayPal’s gift address feature, which allows users to add alternative shipping addresses to their profile. By inserting the phishing message into the Address 2 field of a PayPal account, the fraudsters trigger an official PayPal confirmation email containing the scam message.
The Scam’s Ultimate Goal
The primary objective of this scam is to create panic. Once a victim calls the fake PayPal support number, they are:
- Greeted by an automated PayPal customer service recording.
- Connected to a scammer posing as a PayPal representative.
- Instructed to download remote-access software under the pretense of securing their account.
The scammer then directs victims to a malicious website, pplassist[.]com, where they must enter a code that downloads ConnectWise ScreenConnect, granting remote access to their device. Once inside, the fraudster may:
How Scammers Send These Emails
Investigations into the email headers revealed a forwarding mechanism:
- The scammer registers a PayPal account and adds a fraudulent address with a fake purchase message.
- PayPal sends an official email to the scammer’s address.
- That email is auto-forwarded to a Microsoft 365 tenant mailing list, distributing it to multiple targets.
How to Stay Safe
Got one of these emails? Here’s what to do:
- Don’t call the number. It’s a scam line, not PayPal.
- Log into your PayPal account directly—type paypal.com into your browser.
- Check your address list. No changes? Trash the email.
- Report the phishing email to PayPal at [email protected].
What PayPal Needs to Do
To mitigate such scams, PayPal should:
- Limit character count in address form fields to prevent message injection.
- Strengthen email security policies to block suspicious forwarding.
This scam highlights a growing trend in phishing tactics, where cybercriminals manipulate trusted platforms to exploit users. Always verify suspicious emails directly through your PayPal account and remain vigilant against unsolicited purchase confirmations.
