What happened
Attackers are abusing PayPal’s subscription feature to send legitimate PayPal emails that appear to confirm real purchases. The messages list fake charges and prompt recipients to call a phone number controlled by the attacker, a tactic used to pressure victims into sharing information or authorizing payments.
Who is affected
Any PayPal user can receive these emails, including employees who use personal or corporate PayPal accounts. Finance teams, executives, and staff with payment access face higher risk due to their ability to approve or move funds.
Why CISOs should care
The emails are sent through PayPal’s own systems, which helps them bypass traditional email security controls. This increases exposure to voice phishing, account compromise, and payment fraud, even in environments with strong email filtering.
3 practical actions
-
Instruct employees to verify PayPal activity by signing in directly to their PayPal account, not by calling numbers in emails.
-
Expand phishing training to cover abuse of legitimate platforms and trusted brands.
-
Monitor for social engineering attempts targeting finance and payment workflows and reinforce approval checks.