- Scammers are abusing PayPal’s Subscriptions feature to inject phishing messages into legitimate PayPal emails
- A manipulated customer‑service URL and a forwarding Google Workspace list spread the fake notices widely
- PayPal says it’s mitigating the issue and urges users to treat unexpected subscription emails with caution
Scammers are using PayPal’s “Subscriptions” feature to send convincing phishing emails and trick users into giving away access to their accounts on the platform.
Subscriptions is a feature that lets businesses charge customers automatically on a regular schedule. Customers sign up once and agree to recurring payments, which PayPal then processes automatically.
If the business terminates someone’s subscription, that person is notified via email that comes directly from PayPal’s servers and, as such, passes most email security scans.
Abusing mailing lists
So how do the scammers abuse this feature?
As BleepingComputer explains, the email includes a customer service URL which the crooks somehow managed to modify to include the phishing message. At this time, it is unknown how they achieved that, and it is speculated that they are either abusing a flaw in how PayPal handles subscription metadata, or using an API or a legacy platform.
The message contains phishing content we’re used to seeing in these scams – warning recipients that they’ve purchased an expensive item and that, if they want to cancel the order, they should call PayPal on the phone number provided in the message.
However, this still does not answer the question how the victims received this message, if they never subscribed to a particular business.
Apparently, the original email gets sent to just one address – “receipt3@bbcpaglomoonlight.studio”. The researchers believe this is a Google Workspace mailing list that automatically forwards the email to all other group members which, in this case, are the victims.
“This forwarding can cause all subsequent SPF and DMARC checks to fail, since the email was forwarded by a server that was not the original sender,” the publication wrote.
PayPal was notified about the abuse, and it confirmed to currently be working on a fix:
“PayPal does not tolerate fraudulent activity, and we work hard to protect our customers from consistently evolving phishing scams,” PayPal told BleepingComputer.
“We are actively mitigating this matter, and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
The post PayPal user beware – experts warn subscriptions being abused to send fake purchase emails first appeared on TechToday.
This post originally appeared on TechToday.