PayPal Invoice Scam
An email arrives from service@paypal.com — a real PayPal address — showing an invoice for $299 for a Norton subscription or a crypto purchase you never made. A support number is included. You call it to dispute the charge. The person who answers is not PayPal. They are a scammer who will walk you into surrendering your account, your computer, or both.
What Is the PayPal Invoice Scam?
The PayPal invoice scam is a phishing attack that exploits PayPal’s own legitimate invoice sending system. Unlike traditional phishing emails that spoof a sender address and are caught by spam filters, this scam uses a real PayPal account to send a genuine PayPal invoice — which arrives from service@paypal.com, passes all email authentication checks, and appears in the inbox exactly as a real PayPal communication would.
The scam’s payload is not in the email’s technical infrastructure — it is in the invoice’s content. Scammers create invoices for large unauthorized charges — typically $200 to $1,000 — for products the recipient never purchased: cryptocurrency orders, security software renewals, or tech support plans. In the invoice’s memo or note field, they include a phone number labeled as PayPal Support or a fraud department, with instructions to call immediately if you did not authorize the charge.
When the alarmed recipient calls that number, they reach a scammer posing as a PayPal representative. From there, the attack pivots to a tech support fraud model: the “agent” helps them “reverse” the charge by gaining remote access to their computer, walking them through their PayPal account, or requesting a verification transfer. The invoice itself was never a real charge — it was the lure to trigger the phone call that is the actual attack.
How the PayPal Invoice Scam Works — Step by Step
Creating the Invoice
The scammer creates a free PayPal personal or business account and uses PayPal’s standard invoice creation tool to generate a bill addressed to the target’s email. The invoice is for a large, alarming amount — a cryptocurrency purchase, a Norton or McAfee annual renewal, a Geek Squad service plan, or a tech support subscription. The description is vague enough to be plausible, and the note field contains a fake support phone number and urgent language: “If you did not authorize this transaction, call immediately to cancel.”
Sending Through PayPal’s System
Because the invoice is generated through PayPal’s real system, it arrives in the recipient’s inbox from service@paypal.com with proper email authentication. It looks identical to a real PayPal invoice. The recipient has no technical means to distinguish it from a legitimate charge notification. The urgency of the large amount and the fake support number create immediate action motivation before the recipient thinks to log into their PayPal account and check their actual transaction history.
The Fake Support Call
The recipient calls the number in the invoice. A “PayPal representative” answers, confirms the unauthorized charge, and expresses concern. To process the refund, they need to “verify your account” — which progresses to requesting remote access to the recipient’s computer (using AnyDesk or TeamViewer), asking for PayPal login credentials to “access the billing system,” or requesting a small “verification transfer” to confirm the account is active. Each of these steps gives the scammer what they actually want.
The Account Drain
Once the scammer has remote access or PayPal credentials, they access the victim’s real PayPal balance and any linked bank accounts or cards. Some operations conduct the overpayment variant: while on the call, they “accidentally” refund too much and ask the victim to send back the difference via a separate transfer — the classic overpayment structure using PayPal account access as the mechanism rather than a physical check.
Red Flags in a PayPal Invoice
- A phone number appears in the invoice note or memo field — PayPal does not include support numbers in invoice notes, and any number there was placed by the sender, not PayPal.
- The invoice is for a product or service you never purchased, ordered, or subscribed to — a PayPal invoice can be sent to any email by anyone for anything.
- The invoice creates urgency: “Call within 24 hours or this charge will be processed” — PayPal does not use this framing for legitimate billing.
- The sender name is a business name you do not recognize rather than a personal contact — invoice senders are PayPal account holders, not PayPal itself.
- Any instruction to call a number to “cancel” the invoice — invoices are declined through your PayPal account, not by phone.
💡 The One Rule That Defeats Every PayPal Invoice Scam
Never call any phone number included in a PayPal invoice. PayPal does not put support numbers in invoice notes — any number there was placed by the person who sent the invoice, which means it connects to the scammer. To dispute any PayPal transaction, go directly to paypal.com by typing it in your browser, log into your account, and use the Resolution Center. Your PayPal account shows your actual transaction history — if the charge isn’t there, the invoice was never a real charge and can simply be declined.
The Broader Legitimate Infrastructure Abuse Pattern
The PayPal invoice scam belongs to a growing category of fraud that abuses legitimate platform infrastructure to bypass spam and phishing filters. Because the attack vector is a real PayPal account sending a real invoice, the email is technically authentic — it genuinely came from PayPal’s servers. The same pattern appears in Google Calendar invite phishing, DocuSign document fraud, and LinkedIn message phishing — attackers use real platform accounts to send fraudulent content that arrives with full institutional authenticity.
This represents a meaningful evolution in phishing attack sophistication. Traditional defenses — checking the sender address, looking for spelling errors, hovering over links — provide no protection because the sender address is genuine, the formatting is correct, and the links in the email lead to real PayPal pages. The attack lives entirely in the behavior it triggers (calling the phone number) rather than in any technical deception of the email itself.
PayPal Scams Are Account Takeover Attempts in Disguise
The invoice is the lure — the real goal is your PayPal credentials, your linked bank account, or remote access to your device. Identity theft protection services that monitor for account takeover signals, dark web credential exposure, and unauthorized financial activity catch these attacks at the next stage. See which services respond fastest.
See Our Identity Theft Protection Rankings →What To Do If You Called the Number or Granted Access
- Disconnect from the internet immediately if you granted remote access — unplug the ethernet cable or turn off Wi-Fi to end the remote session.
- Change your PayPal password immediately from a different device — then change the passwords for any email account and bank account linked to your PayPal.
- Log into your real PayPal account and review recent transactions — report any unauthorized charges or account changes through PayPal’s Resolution Center.
- Contact your bank if linked accounts may have been accessed — request a temporary hold and review of recent activity.
- Forward the original invoice email to phishing@paypal.com — PayPal’s fraud team investigates and suspends accounts used to send scam invoices.
- Report to the FTC at reportfraud.ftc.gov and the FBI at ic3.gov with all details including the invoice amount, the phone number embedded in it, and any losses incurred.