New PayPal Scam Sends Verified Invoices With Fake Support Numbers

The latest PayPal scam leverages the service’s own Money Request and Invoice tools, allowing fraudsters to generate emails that carry the brand’s blue BIMI tick. Because the messages originate from PayPal’s servers, they satisfy SPF, DKIM and DMARC authentication, slipping past corporate spam filters and landing directly in users’ inboxes. The deceptive "Note to Customer" field is where the attackers embed a counterfeit support number, turning a seemingly harmless invoice into a gateway for social engineering.

Once a victim dials the fake number, scammers employ classic callback phishing tactics. They may request remote‑desktop tools such as AnyDesk or TeamViewer, coax the user into revealing login credentials, or convince them to reverse a non‑existent charge by sending funds to a criminal‑controlled account. The FBI has issued alerts about this method, noting its effectiveness in bypassing email‑based defenses and exploiting the trust users place in official communications. The phone call adds a human element that often overrides caution, making the attack more persuasive than a simple malicious link.

Mitigation requires a layered approach: never click links or call numbers embedded in unsolicited invoices, and always verify transactions by logging into PayPal directly. Organizations should educate employees about the limits of visual cues like the blue tick and enforce policies for reporting suspicious invoices. PayPal’s rapid response—removing the invoice and flagging it with a warning—shows the platform’s commitment to fraud detection, yet the incident signals a broader shift where attackers weaponize legitimate services. Strengthening user awareness and enhancing real‑time verification can reduce exposure to this evolving threat vector.