Tech support scammers are once again abusing PayPal's legitimate email infrastructure to deliver convincing scam messages that bypass standard email authentication checks. For NZ businesses — particularly those with finance staff handling payment notifications — these emails will pass DKIM, SPF and DMARC checks because they genuinely originate from PayPal, making them especially dangerous and hard for traditional email filters to block.
What Happened
Researchers at Malwarebytes, alerted by ConsumerWorld.org, have identified a new variant of an ongoing PayPal abuse campaign. Scammers are sending real PayPal payment notification emails (from service@paypal.com) where the subject line has been weaponised to display a fake "pending charge" of USD 987.90 along with a scammer-controlled phone number. The body of the email shows a tiny payment of ¥1 JPY, but most recipients react to the alarming subject line first.
Because the email is genuinely sent and signed by PayPal's systems, it passes all standard authentication checks. The recipient's real name and a legitimate PayPal transaction ID appear in the message, adding credibility. Victims who call the number in the subject line reach tech support scammers impersonating PayPal staff.
The exact mechanism is unclear, but Malwarebytes suspects scammers are abusing PayPal's note or remittance field in a way that surfaces in the subject line and HTML <title> tag of certain payout templates. Once on the call, scammers attempt to harvest banking details, push victims to install remote access tools, and ultimately drain accounts or compromise devices. This follows a similar campaign in December 2025 where attackers exploited paused subscriptions to send fake purchase notices.
This technique is particularly insidious because it sidesteps the usual advice of "check the sender address" — the sender genuinely is PayPal. Standard secure email gateways are unlikely to flag these messages.
Key Takeaways
-
The malicious emails are genuinely sent from service@paypal.com and pass DKIM, SPF and DMARC checks.
-
Attackers manipulate the subject line to display a fake pending charge and callback number, while the email body shows a trivial real payment.
-
The attack is a callback phishing / tech support scam — victims who phone the number are pressured into handing over credentials, banking details, or remote device access.
-
Personalised details (real name, real transaction ID) make the lure highly convincing.
-
Traditional email authentication and many secure email gateways will not catch this.
-
Remote access tools deployed during these calls can result in full device compromise and persistent backdoors.
What NZ Businesses Should Do
-
Alert finance and AP teams now. Brief staff who handle payment notifications that legitimate-looking PayPal emails may contain fake charges and phone numbers in the subject line. Always verify charges by logging directly into PayPal — never via links or numbers in the email.
-
Establish a "no callbacks from emails" rule. For any payment dispute or account verification, staff should use phone numbers obtained from the official PayPal website or prior trusted records.
-
Strengthen endpoint defences against remote access abuse. Deploy TrendAI Standard Endpoint Protection to detect and block unauthorised remote access tools (AnyDesk, ScreenConnect, TeamViewer misuse) commonly used in these scams. Pair with application control to prevent users installing such tools on the fly.
-
Improve detection and response for social engineering outcomes. Use Trend Vision One™ SecOps (XDR + Agentic SIEM + Agentic SOAR) to correlate signals across email, endpoint and identity — catching the credential theft, anomalous logins, or backdoor activity that follows a successful scam call.
-
Tighten identity controls. Enforce phishing-resistant MFA on all PayPal, banking and Microsoft 365 accounts, and consider Trend Vision One™ Identity Security (ISPM + ITDR) to detect account takeover attempts that may follow a successful scam.