PayPal, the American fintech giant, faces a new wave of cyberattacks as fraudsters target users with fake invoice scams. The attack surfaced just days after PayPal announced its partnership with OpenAI to integrate payment systems directly within ChatGPT by 2026, making the situation even more alarming.
Security experts at KnowBe4, cited in a Forbes report, revealed that cybercriminals have launched what’s known as a Telephone-Oriented Attack Delivery (TOAD). In this scheme, scammers send fraudulent invoices or money requests through genuine PayPal email channels, tricking recipients into thinking the messages are legitimate. The invoices often list products or services that victims never ordered, a red flag meant to provoke confusion and fear.
KnowBe4’s analysts warned users to be cautious of emails from real PayPal domains containing unexpected invoices and a phone number to dispute charges. These emails are part of the scam. When victims call the listed number, they reach fraudsters posing as PayPal support agents. The attackers use this opportunity to steal personal information such as credit card details, PayPal credentials, or even convince victims to make direct payments.
What makes this attack more deceptive is that the emails come from legitimate PayPal addresses. The invoices, however, are fake. According to KnowBe4, the email body is usually blank except for the attached invoice, which is not a standard PayPal practice. When you open the file, you often see alarming text like: “We billed your account $823.00. We’ll process the payment in 24 hours.” Didn’t make this purchase? Contact PayPal Support immediately.”
Malware intelligence researcher Pieter Arntz from Malwarebytes shared that he personally received one of the scam invoices, which appeared to have been sent in bulk. He observed that some came not from PayPal domains, but from random Gmail addresses—a clear sign of fraud. The messages were sent via BCC (blind carbon copy) to hundreds of recipients simultaneously, another major warning sign. Arntz emphasized that PayPal never distributes invoices this way.
In response to the scam, PayPal issued a public warning urging users to avoid engaging with suspicious invoices. The company’s message was direct: “Do not pay, do not phone.” It advised anyone who receives an unexpected invoice or payment request, whether it appears to be from PayPal or elsewhere—to ignore it and avoid making any contact through the provided details.
PayPal assured users that it is tackling the threat through both human and technological measures, including manual investigations, fraud prevention systems, and restrictions on high-risk accounts. The company reaffirmed its zero-tolerance policy toward fraudulent activity, stressing its commitment to safeguarding customer data.
“We do not tolerate fraudulent activity on our platform, and our teams work tirelessly to protect our customers,” the company stated. “We are aware of this phishing scam and encourage people to stay alert and cautious of unexpected messages.”
To report suspicious emails or fake invoices, PayPal urged users to log in directly via the official website or app and forward suspicious communications to phishing@paypal.com before deleting them.
The company also offered safety tips to help users identify and avoid scams. It advised users to stay alert for invoices linked to products or services they never ordered or that include alarming notes urging them to call customer service numbers. Such tactics aim to trick people into sharing personal or financial details. Users should never click on links or dial phone numbers in questionable emails.
PayPal’s message was clear, if something feels off, it probably is. When in doubt, don’t pay suspicious invoices, don’t follow any links or contact numbers in the email, and never send money to cryptocurrency wallets mentioned in such messages.
The ongoing scam highlights how sophisticated cybercriminals have become, exploiting real systems and trusted brands to trick unsuspecting victims. As PayPal continues its efforts to protect users, vigilance remains the strongest defense.
