If you’ve recently received an email from what appears to be PayPal — complete with official branding, legitimate formatting, and even a verified sender address — but it was addressed to someone else, you’re not alone. A wave of users have reported nearly identical experiences on platforms like Reddit. Despite looking completely real, these emails are part of a new and surprisingly sophisticated scam targeting PayPal users through a tactic that blends social engineering, spoofing, and phishing.
Let’s break down exactly what this scam looks like, how it works, and what you should do to protect yourself.
🚨 The Setup: A “Request” That You Didn’t Send
Here’s what many users are seeing:
- The email looks like it’s from PayPal (service@paypal.com).
- It claims you sent a payment request to a business or person — like Apple Chandler Fashion Center or 3DU Roofing LLC.
- The body of the email includes a message such as:
“You requested $299.99 from Apple Chandler Fashion Center.
Didn’t make this order? Call [833-XXX-XXXX]”
The email may even include a real PayPal link, a transaction ID, and a “note” to the recipient that contains a customer service number.
But here’s the catch: You didn’t send this. The name in the email may not even be yours. Still, it looks 100% legitimate — which is what makes it so dangerous.
🎭 What’s Really Going On?
This is not a hack of your PayPal account. In fact, most victims who log in to check their PayPal activity see no record of the transaction at all.
So, what’s the scam?
1. Blind Carbon Copy (BCC) Phishing
The scammer sends out a mass BCC email impersonating a real PayPal message. You see a real-looking message, but it’s not truly connected to your account.
2. The Fake Phone Number Trap
The phone number in the email is a bait. Once you call it, a scammer on the other end may pretend to be a PayPal support rep and ask for:
- Your full name
- PayPal email
- Account password
- Credit card or bank details
This is a classic social engineering trick designed to harvest your sensitive data.
3. Social Proof & Panic
Because the email comes from a legit source and even includes your PayPal app auto-opening when clicked (if logged in), it creates a false sense of urgency and trust — making it far more likely you’ll act without thinking.
🧪 How Can a Scam Email Come From PayPal?
Scammers are either:
- Using PayPal’s actual request feature to send fake invoices (which is allowed, since anyone can send a payment request with a note), or
- Spoofing PayPal’s email header to make it look legit. While Gmail or Outlook may pass it through, a closer inspection of the email headers often reveals discrepancies.
How the Fake-Invoice Trick Works
PayPal-Generated “Invoices” as Bait
These fraudsters actually log into real PayPal accounts (often newly created, stolen, or compromised) and use PayPal’s built-in “Request Money” feature to generate legitimate-looking invoices. Those invoices carry correct PayPal branding, genuine transaction IDs, and even real PayPal links. They then BCC those requests to hundreds—or even thousands—of email addresses at once. Because the email truly comes from PayPal’s own servers, it sails right past spam filters and lands in your inbox looking completely bona fide.
Why it works: The request appears so official that users panic and click “Pay Now”, assuming it’s a real charge against their account. In many cases, people simply pay the unknown invoice—sometimes multiple invoices—without a second thought, especially if they’ve seen PayPal branding and a valid transaction ID. It sounds crazy to pay an invoice you never placed, but countless victims on social media admit they did exactly that, “just to stop the emails.”
🔒 How to Stay Safe
Here’s how you can protect yourself from falling victim to this scam:
✅ 1. Never Call Numbers in Unexpected Emails
Legit PayPal support will never ask you to call a random number in a payment request. Always go directly to PayPal’s website and use the official contact options.
✅ 2. Check Your PayPal Activity
Log in directly (don’t use email links) and check for:
- Sent requests
- Activity history
- Linked devices or suspicious logins
If nothing is there, you’re likely safe — but remain cautious.
✅ 3. Forward Suspicious Emails
Send any suspicious PayPal emails to:
📧 phishing@paypal.com
This helps PayPal investigate and block the scammers.
✅ 4. Enable Two-Factor Authentication (2FA)
This adds an extra layer of security even if someone manages to get your password.
✅ 5. Report to Authorities
If you did engage with the scam (e.g., called the number or gave info), report it to:
- PayPal support
- Your bank or credit card company
- Local cybercrime units
🤯 Why They use this Scam
This scam is particularly dangerous because:
- It uses PayPal’s actual services (like payment requests).
- It includes no malicious attachments or obvious red flags.
- It creates panic and urgency by suggesting money is being requested from your account.
It’s a prime example of social engineering in action — and it’s catching even experienced users off guard.
