Imagine opening your inbox and seeing an official PayPal email saying you just bought a brand-new MacBook. But you didn’t buy anything, so what’s going on? We’ll break down why this is one of the most convincing phishing scams we’ve seen and how it works as we sit down and sync up with Rocket IT’s weekly technology update.

In this episode, you’ll hear more about:

• A PayPal scam that tricks users with fake purchase confirmations.
• How scammers are sending scams with a legit PayPal email address.
• How this phishing email is able to bypass security filters.
• What happens if you fall victim to this PayPal scam.

Video Transcript

This scam was first reported by BleepingComputer, and it’s fooling people because it actually comes from PayPal’s real email address. The message says you added a new shipping address and includes what looks like a purchase confirmation for a MacBook M4. At the bottom, there’s a phone number urging you to call if you didn’t authorize the update.

At first glance, it looks legitimate. The email isn’t full of typos. The sender address isn’t some sketchy domain. The message even passes PayPal’s own security checks. That’s exactly why so many people are falling for it.

In reality, no one is buying a MacBook. There’s no actual transaction happening. Instead, scammers are taking advantage of how PayPal handles shipping addresses.

PayPal allows users to add additional addresses to their accounts, which is normal. But there’s a flaw: the system doesn’t limit how much text can be entered into the second address field. The scammers figured out that they could type an entire fake purchase confirmation message into that section. When they save the address, PayPal automatically sends an email confirming the update, and because that message includes everything the scammer wrote, it looks like a real order confirmation.

That’s why the email is so convincing—it’s actually coming from PayPal. But it’s nothing more than manipulated text.

The scammers aren’t just picking random people to send these emails to. They’ve figured out a way to distribute them at scale

Here’s how it works. When they add their fake address to PayPal, the confirmation email is sent to their own inbox. But instead of keeping it, they’ve set up an automatic forwarding system. The scam email is first sent to a fake email account controlled by the scammers, which then forwards it to a Microsoft 365 mailing list. That list could potentially include you, and anyone else they’ve added as a target.

Since PayPal is sending the email first, and the scammers are just forwarding it, the message still looks like it’s coming straight from PayPal. This allows them to distribute their scam to thousands of users, all while bypassing security filters.

Most phishing scams get flagged because they come from fake email addresses. This one doesn’t. Since the email is coming directly from PayPal’s servers, spam filters don’t catch it. The message even passes security checks that normally verify whether an email was tampered with.

It looks legitimate because, in a technical sense, it is legitimate. That’s what makes it so dangerous.

Calling the number listed in the email’s message connects you to someone posing as PayPal customer service. The first thing they do is tell you that your account has been hacked and that they need to help you secure it. They’ll instruct you to visit a website and enter a special security code. That code downloads a remote access tool, which gives them full control of your computer.

From there, they can steal banking information, install malware, or lock you out of your own accounts. These scams aren’t just about PayPal—they’re designed to take control of everything linked to your device.

PayPal isn’t intentionally sending scam emails, but its system is making this possible. By allowing unlimited text in the address field, scammers can inject messages that trick users into believing they made a purchase.

A simple fix would be to limit the character count in that field, but until PayPal addresses this, the scam will continue.

If you receive an email like this, don’t call the number. Log into PayPal directly—not through the email—and check your account. If everything looks normal, delete the message and report it to PayPal.

For businesses, scams like this aren’t just a personal risk. Employees can receive these emails, panic, and unknowingly give a scammer access to company accounts. That’s why having an IT partner, like Rocket IT, matters. A strong security strategy can help filter out scams like these, train employees to recognize threats, and keep systems locked down so a single mistake doesn’t lead to a full-scale breach. If your business isn’t sure how to protect against scams like this, Rocket IT can help put the right protections in place so these threats don’t turn into real problems. Simply contact us using the link in this video’s description. And to stay up to date on trending technology news, hit that subscribe button and the bell to catch us on next week’s episode of Sync Up with Rocket IT.