Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services.

In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.

In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members.

Recently, ConsumerWorld.org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.

This is a screenshot of the example they sent us.

As you can see, the email comes from service@paypal.com. It wasn’t spoofed, which means it passes standard security checks (DKIM, SPF, DMARC).

While the body of the email says that you received a payment of ¥1 JPY (a whopping $0.0063), the subject line tells a different story:

“Pending charge of USD 987.90 for account activation. Questions? Call-(888) 607-0685.”

As an extra bonus for the scammers, the email contains personalized details—the recipient’s actual name and a real transaction ID.

The number in the subject line is not PayPal’s. The legitimate contact number appears inside the email.

---

---

The intention of the email is straightforward.

Recipients think:

1. “Oh no! There’s a pending charge for $987.90.”
2. “The amount doesn’t match what I see in the email body—that’s weird and scary.”
3. “I need to call this number immediately to dispute this charge.”

They call the number in the subject line, only to reach tech support scammers.

These scammers pretend to be PayPal support and may try to:

• Get you to “verify” payment methods
• Collect banking details
• Convince you to install remote access tools
• Take control of accounts or devices
• All of the above

How the subject line is altered is still unclear. Based on PayPal’s documented email behavior, subject lines are typically fixed and not meant to include arbitrary free text or phone numbers. Our findings indicate that the subject line was already weaponized at the point PayPal’s systems signed the email. If someone along the way had rewritten the subject, the dkim=pass header.d=paypal.com result would likely fail.

One possibility is that the scammer abused PayPal’s note or remittance field in a way that surfaces in certain payout templates, including the subject line and HTML <title>, even though normal merchant payment‑received emails don’t allow arbitrary subjects.

We have contacted PayPal for comment and will update this post if we hear back.

How to avoid PayPal scams

The best way to stay safe is to stay informed about the tricks scammers use. Learn to spot the red flags that almost always give away scams and phishing emails, and remember:

• Use verified, official ways to contact companies. Don’t call numbers listed in suspicious emails or attachments.
• Beware of someone wanting to connect to your computer remotely. One of the tech support scammer’s biggest weapons is their ability to connect remotely to their victims. If they do this, they essentially have total access to all of your files and folders.
• Report suspicious emails to PayPal. Send the email to phishing@paypal.com to support their investigations.

If you’ve fallen victim to a tech support scam:

• Paid the scammer? Contact your bank or card provider and let them know what’s happened. You can also file a complaint with the FTC or your local law enforcement, depending on your region.
• Shared a password? Change it anywhere it’s used. Consider using a password manager and enable 2FA for important accounts.
• Gave access to your device? Run a full security scan. If scammers had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove these and other software left behind by scammers.
• Watch your accounts: Keep an eye out for unexpected payments or suspicious charges on your credit cards and bank accounts.
• Be wary of suspicious emails. If you’ve fallen for one scam, they may target you again.

Pro tip: Malwarebytes Scam Guard recognized this email as a call back scam. Upload any suspicious text, emails, attachments, and other files to ask for its opinion. It’s really very good at recognizing scams. 

---

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

One of my favorite Forbes correspondents recently wrote about receiving several fake copyright-infringement notices from X.

Let’s suppose you get an email claiming it’s from X, warning:

“We’ve received a DMCA notice regarding your account.”

Chances are, you’ll be wondering what you did wrong. DMCA (Digital Millennium Copyright Act) notices are legal requests about copyrighted content, so it makes sense that many users would worry they broke the rules and feel eager to read the warning.

“Some recent activity on your page may not fully meet our community standards. Please take a moment to review the information below and ensure your shared content follow our usage rules.
Notice Date : {day received}”

• Kindly review the material You’ve shared.
• If you think this notice was sent in error, you can request a check using the link below.

Review Details {button}

If no update is received within 24 hours, your page visibility may stay temporarily limited until the review is complete.

We thank you for your attention and cooperation in keeping this space respectful and positive for all.”

As usual, the scammers add some extra pressure by claiming your account may be hidden or limited if you don’t act within 24 hours.

But the “Review Details” button doesn’t lead to anything on X. It does look a lot like the X login page, but it’s fake.

Any username and password typed there go straight to the hackers—which could leave you with a compromised account.

How to keep your X account safe

Having your X account stolen can be a major pain for you, your followers, and your reputation (especially if you’re in the cybersecurity field). So here are some tips to keep it safe:

• Make sure 2FA is turned on. We wrote an article about how to do this back when it was still called Twitter.
• When entering a username and password, or any type of sensitive information, check whether the URL in the address bar matches what you expect.
• Use a password manager. It won’t enter your details on a fake site.
• Use an up-to-date real-time anti malware solution with a web protection component.
• Don’t click on links in unsolicited emails and check with the sender through another channel first.
• A real DMCA notice from X will include a full copy of the reporter’s complaint, including contact details, plus instructions for filing a counter-notice.

Pro tip: You can upload suspicious messages of any kind to Malwarebytes Scam Guard. It will tell you whether it’s likely to be a scam and advise you what to do.

If you suspect your account may be compromised:

• Change your password.
• Make sure your email account associated with the account is secure.
• Revoke connections to third-party applications.
• Update your password in the third-party applications that you trust.
• Contact Support if you can’t log in after trying the above.

Here are the full instructions from X for users who believe their accounts have been compromised.

---

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!