So you've got an email that claims to be from PayPal. Maybe it says there's been unusual activity on your account, or someone's sent you money, or there's an invoice you don't recognise.
Before you click anything, let's work through this together. PayPal is one of the most impersonated brands in phishing emails, so you're right to be cautious.
Check the sender address first
Look at the actual email address — not the display name. Here's what's real and what's not.
Legitimate PayPal sender addresses:
@paypal.com@paypal.co.uk@mail.paypal.com@mail.paypal.co.uk@e.paypal.com@paypal.com(for invoices and payment notifications)
Common fake addresses:
@paypal-security.com❌@paypai.com(that's an 'i' not an 'l') ❌@paypal-support.com❌@service-paypal.com❌@paypal.com.account-secure.net❌@paypa1.com(that's a '1' not an 'l') ❌@paypal-notifications.com❌@securepaypal.com❌
Watch for the domain trick: [email protected] is real. [email protected] is not — the real domain is dodgy-site.com. Always look at what comes right before the first single / in a URL, or after the last @ in an email.
The most common PayPal scam emails
1. "Unusual activity detected on your account" The classic. Claims someone logged in from a new device or location and you need to "verify your identity" via a link. Real PayPal security alerts include the last 4 digits of your linked cards and direct you to log in at paypal.com. They don't ask you to enter your full card details via email.
2. "Confirm your identity or your account will be limited" Threatens that your account will be restricted unless you click a link and provide personal information. PayPal does occasionally limit accounts, but they tell you to log in to the Resolution Centre at paypal.com — they don't send forms to fill out via email.
3. "You've received a payment" This one's clever because it plays on greed. Claims someone sent you money (often for a sale on eBay, Gumtree, or Facebook Marketplace). The goal is to get you to ship an item before realising no real payment was made. Always check your actual PayPal balance before shipping anything.
4. "You have an outstanding invoice" This is the big one right now — and it's particularly nasty. Keep reading.
The PayPal invoice scam (this one catches everyone)
This scam is different because the email often genuinely comes from PayPal. Here's how it works:
A scammer creates a real PayPal account
They use PayPal's invoice feature to send you a real invoice
The invoice is for something you never bought — often "Norton Antivirus renewal £349.99" or "Geek Squad service plan $499.99" or "Bitcoin purchase $850.00"
The invoice includes a phone number saying "Call to cancel"
You call the number, and the scammer (pretending to be support) asks for remote access to your computer or your banking details
This email passes every technical check because it really is from PayPal's servers. The red flags are:
- You didn't buy or order whatever the invoice is for
- The invoice includes a phone number (real companies don't put phone numbers in PayPal invoices)
- The amount is alarming — designed to make you panic
- The seller name is usually something like "Billing Department" rather than a real business
What to do: Don't call the number. Don't pay the invoice. Log into PayPal directly, go to your Activity, and if you see the invoice there, click "Report this invoice" or simply decline it.
What a real PayPal email looks like vs a fake
Real PayPal emails:
- Address you by your full name (first and last)
- Include the last 4 digits of any card or bank account referenced
- Show specific transaction amounts and merchant names
- Link to paypal.com or paypal.co.uk (hover to check)
- Never contain attachments
- Come from the addresses listed above
- Have a consistent, professional layout
Fake PayPal emails:
- Start with "Dear PayPal User" or "Dear Customer" or your email address
- Contain grammar/spelling errors ("Your account have been limited")
- Create false urgency ("Respond within 24 hours")
- Ask you to "verify" personal information via a link
- Include attachments
- Links point to domains that aren't paypal.com when you hover
What PayPal will NEVER do by email
- ❌ Ask for your full credit/debit card number
- ❌ Ask for your bank account number or sort code
- ❌ Ask for your password or security questions
- ❌ Ask for your National Insurance number
- ❌ Send attachments
- ❌ Ask you to call a phone number in the email to resolve account issues
- ❌ Threaten to close your account unless you respond to an email immediately
Your quick verification steps
✅ 1. Check the sender address. Match it against the legitimate list above.
✅ 2. Check the greeting. PayPal knows your name. If it doesn't use it, be suspicious.
✅ 3. Don't click — go direct. Open a new tab, type paypal.com yourself, and log in. Any real issues will show in your account notifications or Resolution Centre.
✅ 4. Check your transaction history. If the email mentions a payment or invoice, it'll appear in your Activity if it's real.
✅ 5. Forward it. Not sure? Forward the email to [email protected] — PayPal will tell you if it's real.
The golden rule with PayPal emails
Never click a link in an email to log into PayPal. Always open a new browser tab and type paypal.com yourself. If there's a genuine issue with your account, you'll see it there. This single habit makes you virtually immune to PayPal phishing.
