Scammers Hijack PayPal Email Subject Lines to Deliver Tech Support Scams
Scammers are manipulating the subject line of legitimate PayPal payment notifications to trick recipients into calling fraudulent tech support numbers.
Scammers have found a new way to abuse PayPal's email system to deliver tech support scams. According to a report from Malwarebytes and ConsumerWorld.org, attackers are manipulating the subject line of legitimate payment notification emails sent from service@paypal.com. The emails pass all standard security checks—DKIM, SPF, and DMARC—and include the recipient's real name and a genuine transaction ID, making them appear highly authentic.
The scam works by altering the subject line to falsely claim a pending charge of $987.90 and including a fraudulent phone number. The body of the email, however, shows a legitimate payment of ¥1 JPY (about $0.0063). Victims who call the number in the subject line are connected to tech support scammers who attempt to steal banking details, install remote access tools, or take control of accounts and devices.
The exact method for altering the subject line remains unclear. Malwarebytes notes that the subject line was already weaponized at the point PayPal's systems signed the email, as the DKIM signature would fail if the subject were rewritten later. One possibility is that scammers abuse PayPal's note or remittance field in certain payout templates, which may surface in the subject line and HTML title tag, even though standard merchant payment emails do not allow arbitrary subjects.
This attack follows a similar loophole that PayPal closed in December 2025, where scammers used paused subscriptions to trigger legitimate notifications. The new technique appears to exploit a different vector, potentially involving the payout template system. Malwarebytes has contacted PayPal for comment and will update their post if they receive a response.
To protect against such scams, users should never call phone numbers listed in suspicious emails, use verified official contact methods, and be wary of anyone requesting remote access to their computer. Suspicious emails should be forwarded to phishing@paypal.com. Malwarebytes also recommends using their Scam Guard tool to analyze suspicious messages.
This incident highlights the ongoing challenge of preventing abuse of legitimate email systems. Despite robust authentication protocols like DKIM, SPF, and DMARC, scammers continue to find ways to exploit features within trusted platforms to deceive users. Users are advised to remain vigilant and verify any unexpected payment notifications directly through their PayPal account rather than relying on email content.