Nothing online is completely immune to scams and online threats—not even PayPal. As the leading online payment provider, it’s still the trusted first choice for fast, safe, and easy money transfers. Read all about the latest PayPal scams, including how to spot them, and find out what to do if you’re caught out. Also make sure you’re never without trusted online security: Avira Free Security blends multiple layers of protection and privacy to help keep your online accounts safer. It can also help speed up your device!
What are PayPal scams and how do they work?
While its sheer size and popularity should make you feel safer, that’s why scammers like PayPal too. With over 400 million account holders from around 200 countries, the online payment giant offers scammers potentially lucrative pickings from a diverse pool of victims (sorry, users). And swindlers always follow the money. Rich, poor, small businesses, or large enterprises—no-one is too big or small to fall and none of us are completely safe from cybercriminals and online scammers. They rely on the fact that we don’t always know how these services operate or that we use them quickly and carelessly, leaving us open to theft of our confidential data and even money.
“PayPal has placed your funds on hold. Please enter your details to release them.” Beware! That’s how a typical PayPal scam can work. Most operate as phishing attempts, so they’re email scams, whereby forged emails that appear to be from PayPal (or links to a fake PayPal site) are sent. You’re prompted to enter your personal payment details, like credit card or bank details. Some emails also ask for payment.
We’d usually be very cautious if a stranger approached us on a street and demanded money, but we’re often strangely less careful online—and swindlers can be relentless and very convincing. The Federal Trade Commission reported that US users alone lost nearly $8.8 billion dollars to online scammers in 2022. According to Forbes, fintech’s challenges with fraud have been growing more rapidly since the pandemic, and it’s not a new issue. PayPal’s problems with scammers date back to its earliest days. In 2000, it lost $6 million (that’s $1,900 an hour) to fraud at a time when its revenue was less than $5 million! In February 2022 PayPal announced that it had closed 4.5 million accounts after finding out that “bad actors” were taking advantage of its incentives and rewards programs to create fake accounts and scam legitimate users.
That doesn’t mean you have to rush off to close your PayPal account! You can happily use the service and all its features but be cybersmart—and learn how to spot the signs of a scam. We’ve outlined these in the next section. Regardless of the method deployed, what remains the same is what the scammer is after: Money they’re not entitled to or your PayPal login credentials. Once they’ve captured these, they can log in to your account and make purchases, withdraw money, carry out a doxxing attack, and more.
Different types of PayPal scams and how to spot them
PayPal comes in various shapes and sizes, but these are the typical red flags to look out for and what to do if you see them. In a nutshell: Leave! Run (from the email/correspondence). Do not respond.
- Money request scams (invoice scams)
The fake: You receive an invoice or money request through PayPal or via email, for a product or service you never ordered. Be especially ware of demands that sound urgent and demand immediate payment or action.
The reality: These scams are trying to trick you into sending money to a fraudster or providing your personal or financial details to them.
How to respond: If you receive a suspicious invoice or money request, don’t pay it. And don’t call any phone numbers stated in the invoice note or open suspicious URLs.
- Advance fee scams
The fake: You’re offered free money! Yay! Fraudsters usually first ask you to send you a smaller amount (for expenses, etc.) before they send you the fortune you’re promised but will never receive.
The reality: If it sounds too good to be true, it probably is.
How to respond: Never send money to anyone you don’t know. Delete the request.
- Overpayment scams or refund scams
The fake: A customer sends a seller more than the purchase price of an order and claims it was an accident. They ask you to pay back the overpayment or send a payment to another company, such as a shipping company. The well-meaning seller sends the refund and ships the item.
The reality: A legitimate buyer won’t overpay you for an order. The “buyer” is a fraudster spending money from a hijacked credit card or PayPal account. When they receive the “refund,” the scammer vanishes. When the real user discovers that their account was used to make a purchase, the merchant ends up in a PayPal dispute. They will usually lose the “repayment” they wired to the fraudster, the product they shipped, any shipping costs, and the initial payment.
How to respond: Cancel the order if a customer pays too much and asks you to return part of the payment. Never send money to anyone you don’t know. This also goes for the shipping company—It’s most likely part of the scam.
- Prize winnings or advance payment scams
The fake: “Pay this small handling fee and you’ll get a great prize!” or “Please claim your inheritance/lottery winnings (but pay a small deposit and provide your personal details first…”.
The reality: There is no prize and your great aunt has sadly not left you her fortune. If you send the money, you won’t get anything in return except a lesson to be more careful in the future.
How to respond: Remember that a legitimate prize won’t require payment and ignore all promises of big prizes and other wins in competitions you never entered. Inheritances aren’t claimed via shady emails that necessitate small payments.
- Order confirmation scams
The fake: You receive an email that appears to be from PayPal and looks like an order confirmation. You’re asked to click on a link in the message to check the status of your order.
The reality: The email is a phishing email. Scammers are trying to steal your PayPal login credentials by tricking you into signing into your account through a spoofed web page.
How to respond: Double check that you really made a purchase by logging into the website directly to check any open orders.
- Fake fraud alerts
The fake: You receive text messages that look like fraud alert notifications from PayPal. Typically, they warn you that someone is trying to access your account. Others might report suspicious activity on your profile.
The reality: It might be a smishing attack (phishing via your phone). The link in the text could take you to a fake PayPal page that steals your account details as you log in. You could also end up accidentally downloading malware that allows someone to spy on your phone.
How to respond: Delete any unexpected texts. Remember that although PayPal sends text messages or emails for one-time login codes or two-factor authentication, be wary of unexpected notifications.
- Password reset scams
The fake: You receive a request from PayPal to change your password immediately.
The reality: Fake password reset alerts that appear to be from PayPal are a scammer favorite. Clicking a link could open Pandora’s box, and you’ll share your login credentials or download malware.
How to respond: Play it safe and change your password anyway but log in directly through the PayPal app or website through your browser. Never trust a random third-party link.
- Fake charity or appeal scams
The fake: A refugee crisis? Cancer-stricken children? You’re asked to donate money for a worthy cause.
The reality: Scammers descend to new lows when they take advantage of public sympathies, particularly during disasters. They use fake charities to solicit donations via PayPal. They may also share forged confirmation emails or receipts, so it looks as if the transaction is legitimate.
How to respond: Never donate via text to phone numbers you don’t recognize or via email links from people claiming to represent organizations. Always donate through a charity’s own website or well-known fundraising platforms and see these tips on how to donate safely to avoid PayPal scams and other online cons. Here are some (US-based) sites recommended by PayPal:
- Shipping address scams
The fake: A package couldn’t be delivered, and the buyer demands a refund.
The reality: Sellers and retailers aren’t immune to PayPal scams either! Sometimes scammers buy goods through PayPal but provide an invalid delivery address. When the shipping company marks the package as undeliverable, the buyer contacts the shipping company to provide them with the real address and then requests a refund from PayPal on the undelivered order. Because you have no proof of delivery (the transaction shows the original address), the money will be refunded to the scammer.
How to respond: Always check that the shipping address is legitimate and consider avoiding selling to high-risk countries that are well-known for PayPal fraud and other scams. Also make sure that the delivery company will notify you if the address is changed and insist on signed-for deliveries.
- Hacked account scams
The fake: Others receive suspicious emails from your PayPal account. You might receive transfer funds but after the product has been sent the money disappears from your account.
The reality: A cybercriminal has gained access to your PayPal account through a phishing attack and is using that account to scam other users. PayPal will withdraw money after being notified that the account was hacked.
How to respond: PayPal advises the following: “We’re here to help you day and night. So, if you suspect your (PayPal) account has been compromised, contact us immediately”. Also change your password, PINs, and security questions and review your account information. Is it up to date? Make sure no unknown phone numbers or email addresses have been added. Plus, check your account activity for anything suspicious.
It’s always advisable to be very wary. To sum up, these subject lines are hot hacker favorites so please look out for them and never engage with the sender:
“Your account is about to be suspended.”
“You’ve been paid!”
“You have been paid too much.”
Can you get scammed on eBay when using PayPal?
Sadly, yes, there are a few eBay PayPal scams in operation. These once again use fake PayPal emails to try and scam you out of money or steal your financial and personal details. Consider this likely scenario for example: After selling an item on eBay, the buyer asks for your email address. You then get an email stating that you have received a PayPal payment for an order, and the funds have been deposited into your PayPal account. Unaware that the email is a fake, you believe that you’ve been paid, so you send the item to the buyer. When you later log into your account, you see that the money isn’t there and the scammer will have disappeared with your goods.
You could also receive a phishing email regarding a recent eBay transaction. It asks you to provide information using a link that seems to lead to the PayPal website. If you click the link, your identity and financial information could be at risk.
Whether you’re a buyer or a seller on eBay, check and double-check that all correspondence you receive is genuine. Also, never allow yourself to be persuaded to complete transactions off these official platforms, even if a Nigerian Prince claims it’s easier to send you the money privately.
Use this handy check list to identify real vs scam PayPal emails and texts
So, you’ve received an email from PayPal. Is it the real deal? Do these quick checks and never reply or click on a link if you’re uncertain.
- Does it come from paypal.com? PayPal uses two main email addresses. The primary email is email@example.com and it’s usually used to send account statements and notifications of changes. It also uses firstname.lastname@example.org to send receipts. The email address paypal.me is also a legitimate domain meant for sharing your PayPal account and sending money more quickly and easily. Remember that the “friendly-from” name in the email address could be different to the sender’s real name. The friendly-from (or friendly) name is how the sender wants to be identified and is the name you instantly see in the email—it’s usually the email account name and the company email address. Scammers can fake the friendly name so it’s important to mouse over the email address or click “reply” to see the sender’s full email. It may look like PayPal Service but the real email could reveal itself to be bxfdk1925R3@gmail.com.
- Does the email contain links? Here are some common examples of fake links:
“Your order #ZF078567 is confirmed for shipment. Click here to review the details.”
“We have noticed suspicious activity on your account. Please click here to review your recent transactions.”
“You spent $2,193.19 USD with PayPal. If you did not make this transaction, please log in here to revert this transaction.”
Clicking on the links will take you to a bogus website where hackers are waiting to scoop up the account details you enter.
- Does the email ask for your password or credit card number? PayPal will never ask for sensitive information.
- Does the email have attachments or ask you to download or install software? A real email from PayPal will never include an attachment or software. Attachments can contain malware, so you should never open one unless you are 100% sure it’s legitimate.
- Is the greeting impersonal and generic, such as “Dear user”, “Dear [your email address]”, or “Hello PayPal member”? PayPal emails always address you by your first and last names or your business name.
- Does it convey a sense of urgency? Scammers are hoping to make you panic so that you ignore warning signs. If you really need to complete something on your account or solve any issues, log into PayPal directly to see if anything needs updating or checking.
For an overview of how phishing emails operate in general, see this blog: Phishing attacks: Steps to stay safe.
As mentioned earlier, when phishing attempts target your phone, they become smishing. “Your PayPal account has been suspended due to suspicious activity. Contact us immediately on 0123-45678. It is imperative that we speak to you.” Similar rules apply to scammer texts, so double-check the sender, avoid clicking on any links, and check the language and greetings used. And please: Never call the number provided or you’ll confirm that you have a PayPal account. You’ll also end up chatting to a fraudster who will be after your account information.
Report PayPal scams
Please report PayPal scams as soon as possible, whether they’re email scams, refund scams, or invoice scams. This helps protect you and others too. PayPal advises reporting all suspicious correspondence or activity by logging in to the PayPal website or the PayPal app or forwarding it to email@example.com. Then delete the email or text. PayPal security experts will investigate to determine if it’s a fake. If there is a scammer at work, they will try and find the source of the email to shut it down. Remember to hit “Forward” to report the suspicious email—never cut and paste the contents or valuable tracking information about the email source will be lost.
Been scammed on PayPal? Here’s what to do
Before you feel too bad, remember that anyone can be scammed. Not even the giant payment platform itself is immune to breaches! On January 18, 2023, PayPal, Inc. filed notice of a data breach with the Maine Attorney General’s Office after discovering that confidential consumer information had been leaked following a credential-stuffing attack.
But back to you. If you think you’ve fallen victim to a PayPal scam, it’s vital to secure your account immediately. Change your account password (and please use a strong, unique password) and notify PayPal via the PayPal Resolution Center. If you’ve lost money due to the scam, PayPal promises to investigate and may issue a refund.
Consider a password manager to help keep your online accounts safer. Avira Password Manager generates complex, unique passwords and helps store them securely—and can also be set to autofill your login details.
Most scams are criminal activity or will accompany some sort of criminal activity to report the scam to the police. This won’t help recover money lost, but it may stop the scammer from striking in the future. Let’s make life harder for cybercriminals! Here are some helpful links to help keep the police in the know:
How PayPal protects its users against scams
PayPal offers two types of protection for its users. Not every transaction is covered so it’s important to understand how they work to see if you qualify for PayPal protection.
Did you buy something? You need PayPal Buyer Protection
If a transaction on PayPal goes wrong—so your purchase doesn’t arrive or doesn’t match the seller’s description—you may be entitled to a full refund of your order. To qualify for PayPal Buyer Protection, you must have paid with PayPal via a single payment (so no instalments) and must file the dispute within 180 days. Your account must also be “in good standing”, so no negative balance or unresolved problems with past transactions. Please note that buyer protection only covers physical goods that can be posted and doesn’t include houses, cars, custom-made items, travel tickets, or intangible items like services.
Did you sell something? You may be eligible for PayPal Seller Protection
Perhaps the buyer claims they never received their order? Or you were sent an unauthorized payment from a hacked account? The PayPal Seller Protection policy covers you for the full amount of the payment on eligible sales. To qualify, you need to have a primary PayPal address in the United States, so it won’t be helpful to those in other countries. You must have sold a physical item and shipped it to the address listed on the Transaction Details page. You’ll also need to provide a valid proof of delivery. For non-tangible items like services, you must submit any proof that the service was provided. Good luck! See the PayPal Seller Protection page for full details, including items that aren’t covered.
Top tips to avoiding PayPal scams and staying safer online
Hopefully you’re now aware of common PayPal scams and can easily spot any red flags. In addition to double-checking any emails and text messages that claim to be from PayPal, here are essential steps to use the payment provider more safely.
Only deal with verified buyers and sellers. Verifying a PayPal account takes time and requires sharing and verifying your financial details, like your bank account. Scammers are unlikely to do this. (To get verified, go to your account to add and confirm your bank account or your debit or credit card.)
Never send money outside of PayPal for PayPal transactions even if the buyer or seller request a refund or payment via a different payment portal. PayPal won’t be able to help solve resolutions or reimburse you if you move off their platform.
Always use your own shipping method. This way, you control delivery and can’t be tricked with bogus shipping labels or other shipping scams. Also contact your shipping agency and block package rerouting. Then the buyer can’t reroute your package, secretly receive it somewhere else, and claim it was never delivered.
Never log in to your PayPal account through a link that is shared with you via email, text message or other means. And never share your account information by email or over the phone!
Ship to the address on the Transaction Details page. Even if a buyer begs for an alternate delivery address, be sure you comply with the PayPal Seller Protection program.
In addition to a strong, unique password for your PayPal Account, enable two-factor authentication.
Always have reputable anti-malware in place. Strong protection helps block even the latest online threats. So, if scammers try and download online threats, like viruses or spyware onto your machine, you’ll be better protected. Avira Free Security is packed with essential tools for more online privacy, protection, and performance. It also comes with a Password Manager and Software Updater.
We all make mistakes and online scams can be incredibly convincing. When using online payment portals, it pays to be extra vigilant—and remember that, according to research published by Statista (Main payment methods for fraud according to e-merchants worldwide 2021) “debit cards, credit cards, and PayPal were the payment methods e-commerce merchants worldwide saw the most fraud.”
PayPal is a registered trademark of PayPal, Inc. in the U.S. and other countries.