PayPal Scam Warning: Do Not Pay!

A major cybersecurity warning has been issued after PayPal users across the globe began receiving fraudulent invoices sent from what appears to be a legitimate PayPal email address. Experts emphasize that this latest phishing campaign—commonly known as a “TOAD” or Telephone-Oriented Attack Delivery scam—relies on fear and urgency to trick victims. The official message from PayPal is short and direct: “Do not pay, do not phone.”

According to security analysts, attackers have discovered a new way to exploit PayPal’s invoicing system by creating real PayPal accounts and using them to send authentic-looking messages. These emails contain fake invoices for expensive purchases that the victim supposedly made. The email urges the recipient to call a phone number listed in the message if they wish to dispute the charge. However, that number does not connect you to PayPal’s real customer support—it connects you to a scammer pretending to be a PayPal representative.

Once victims call, the impersonator pretends to verify account details and then requests credit card numbers or login credentials, supposedly to issue a refund or “fix” a hacked account. In some cases, scammers even demand an additional payment to secure the user’s profile. PayPal confirmed that these messages are not legitimate and advised users never to respond to them under any circumstances.

Roger Grimes, a cybersecurity advisor at KnowBe4, explained that these schemes have been circulating for years. Scammers take advantage of PayPal’s large customer base, sending out thousands of fake invoices daily. The reason this scam works so well is that it uses a genuine PayPal address, making the emails appear completely authentic. Grimes noted that attackers can also send fraudulent messages through PayPal’s refund or messaging features, increasing confusion among users.

PayPal has publicly acknowledged this phishing wave and reassured customers that its security teams are continuously monitoring the situation. The company uses a mix of manual investigation and advanced fraud-detection technology to identify and block suspicious accounts. According to a PayPal spokesperson, “We do not tolerate any fraudulent activity on our platform. Our teams work tirelessly to protect customers and advise them to be cautious of unexpected invoices or messages.”

Users are reminded to check any suspicious messages directly through the official PayPal app or the “Contact Us” page on the company’s website, rather than calling the phone number listed in the suspicious email. PayPal encourages people to report fake invoices immediately so that its fraud department can act quickly to disable scam accounts.

Security professionals also warn that similar phishing strategies target users of other major services, not only PayPal. However, because of PayPal’s global presence and trusted brand image, cybercriminals continue to use it as a tool to deceive victims. The best defense remains awareness: if you get an unexpected invoice, do not pay it and do not call any number included in the message. Instead, log in directly to your PayPal account and verify your recent transactions.

In today’s digital age, scams evolve rapidly, but vigilance and skepticism remain the best armor. PayPal users, as well as anyone managing digital payments, must stay alert to avoid falling victim to these sophisticated traps. The lesson is clear: when in doubt, trust only official channels and remember the golden rule repeated by PayPal—“Do not pay, do not phone.”