Digital payment systems like PayPal are more popular than ever, and scammers are following the money. Here's what you can do to guard against them.
With more than 400 million users and counting, PayPal is an attractive target for scammers. Many online scams that involve payment apps—including Cash App scams, Venmo scams and Zelle scams—bank on the fact that users don’t understand how these services work or use them carelessly, leaving users vulnerable to bad actors looking to steal their money, financial information and more.
That doesn’t mean you need to delete your PayPal account, though. You can still take advantage of all the features PayPal has to offer by using it smartly and knowing how to spot the signs of a scam. To help you do just that, we got the download from cybersecurity experts on what PayPal scams to look out for and how to avoid them.
What is PayPal?
PayPal is an all-in-one digital payment platform that offers an alternative to traditional banking methods. To create a PayPal account, users must first link their bank accounts or credit cards to the system. From there, they can log in through their computer or smart device and make purchases from third-party retailers, accept payments and deposits, or transfer money or cryptocurrency between accounts.
Can you get scammed with PayPal?
Unfortunately, it is all too easy for scammers to steal your money or financial information through PayPal. “There are different scams and fraud attempts deployed by identity criminals trying to steal your money, financial information and more” on PayPal’s platform, according to Eva Velasquez, president and CEO of Identity Theft Resource Center.
What are some common PayPal scams?
While scammers can be sneaky and convincing, their scams also tend to have some common themes that make them easier to identify. Here are some of the most prevalent.
Order confirmation scam
In the majority of PayPal-related scams, scammers use phishing emails to impersonate PayPal. Here’s how this one works: Criminals will create a fake or “spoofed” email address that appears to be from PayPal. Then they will send you an email that looks like an order confirmation for a recent purchase. You will be asked to check the status of your order by logging in to your account through a link included in the message.
These phishing emails take many different forms, but “what remains the same each time is what the criminal is ultimately after,” says Karim Hijazi, CEO of the cybersecurity company Prevailion and former contractor for the U.S. intelligence community. “They want to steal your PayPal login credentials by tricking you into signing into your account through a spoofed web page.” Once the scammer captures your login information, they can use it to log in to your account and make purchases, withdraw money or carry out a doxxing attack, among a host of other things.
Fake fraud alert scam
Beware of unsolicited text messages that look like fraud alert notifications from PayPal. Known as “smishing” attacks, these fake fraud alerts are tough to spot because no two messages are the same. Some might warn that someone is trying to access your account, while others will report suspicious activity on your profile. “There is a wide range of fake alerts that scammers will use, and every one of them will be different,” says Hijazi.
While PayPal does send text messages or emails for one-time login codes or two-factor authentication, receiving a PayPal notification unexpectedly is a sign that you might be dealing with a scam. The text may appear to come from a legitimate PayPal phone number, but the link in the message could actually take you to a fake PayPal login page that steals account details like your password when you try to enter them. Clicking on the link could also accidentally download malware that allows someone to spy on your iPhone, so make sure to delete any phony texts as soon as you receive them.
Unsolicited payment or transfer request scam
Before accepting an unexpected payment or transfer request on PayPal, take a close look at the message. Some scammers create profiles that impersonate real people or businesses—even going so far as to steal their usernames and profile pictures.
You should report the scam to PayPal if you end up accepting the scammer’s request and sending them money. However, PayPal can’t guarantee that you will receive a refund. That’s why you should avoid getting scammed in the first place by always initiating transactions and never accepting unsolicited payment or transfer requests on PayPal, Velasquez says.
Password reset request scam
Received a password reset notification from PayPal out of the blue? Don’t click any links in the text message or email, Hamerstone says. Instead, log in directly through PayPal’s app or website through your browser and change your password immediately, in case your account has been hacked.
Scammers often create fake password reset alerts that appear to be from PayPal too. By clicking a link attached to the text message or email, you could accidentally share your login credentials with scammers or download malware. Beefing up your iPhone security and checking these iPhone privacy settings can protect you if a hacker gains access to your smartphone.
Fake charity scam
Another common PayPal scam uses fake charities to solicit donations from unsuspecting users. The fraudster will create a webpage for a phony charity organization, then contact victims asking for donations via PayPal. Although they may share forged confirmation emails or receipts to make it appear as though the transaction is legitimate, in reality, they have already taken off with your money. These fake charity sites are getting more convincing, but there are ways to spot fake donation scams so you don’t fall victim going forward.
Promotional offer scam
Like fake fraud alerts or order confirmation emails, this scam relies on a spoofed email address or phone number that makes their message appear to be from PayPal. The message notifies users that they have qualified for a promotional offer and money has been deposited into their account. Ultimately, the scammer is hoping to trick the user into entering their PayPal login credentials on a fake webpage or clicking an attachment that infects their phone with a virus.
Refund request scam
Receiving a random PayPal transfer is not always an honest mistake. In fact, scammers often use this trick to fool you into giving them money. The fraudster might use the stolen financial information from a hacked PayPal account to transfer several hundred dollars to your account, then send you a message saying: “Oops! Can you send that back?” The money that you send goes to the criminal’s personal card—which they have added to the fake account—and the stolen funds are removed from your account.
Turns out, everyday users are not the only victims of PayPal scams; criminals target sellers and retailers through PayPal too. For example, a fraudster will overpay for an item using a fake or stolen credit card or bank account number, then contact the seller to ask them to return the overpaid amount, usually to a different account than the one they used to make the initial payment. Once they get the money back, the scammer will contact PayPal to cancel the original transaction, leaving the seller out of both their product and payment.
Shipping address scam
When you sell something online, always verify the address where you are shipping the item. Some scammers will purchase goods through PayPal but give the seller an invalid delivery address. After the shipping company marks the package as undeliverable, the buyer will contact the shipping company to change the address and request a refund from PayPal on the undelivered order. Retailers also should watch out for brushing scams when selling products online.
Hacked account scam
If a cybercriminal learns the login credentials and gains access to a PayPal account through a phishing attack, they can use that account to scam other users as well. They may transfer funds to your PayPal account as payment for a product or service, but after they receive the product, the money disappears from your account. More than likely, PayPal withdrew the money after getting word that the account was hacked.
How do I avoid getting scammed on PayPal?
Let’s be honest: Cybercriminals will never stop trying to scam you. But there are some steps you can take to protect yourself against future PayPal scams. Experts recommend following these tips to outsmart scammers.
Always initiate transactions on PayPal. If you receive a request for money, do not accept it until you verify that it is legitimate.
Never click on any links or attachments or respond to any unexpected messages from PayPal. Instead, reach out to PayPal directly to confirm that the message is real.
Look for generic greetings, typos or incorrect grammar in messages from PayPal, which could be red flags of a scam.
To find out whether an email message is actually from PayPal, click the “view source” or “open original” button in your email account. This will show the full header and routing details for the email you received. Find the line item in the header called “return-path,” which tells you whether the email you received came from PayPal or a fake email address. A phony sender’s address might be scrambled or off by one or two letters.
Never log in to your PayPal account through a link that is shared with you via email, text message or other means. Instead, log in directly from your web browser or app.
Rather than calling a phone number that has been provided to you in a message from PayPal, contact PayPal directly by looking up its publicly listed phone number.
Never share your account information, including passwords, bank account or payment card information, by email or over the phone.
If you receive a fake or suspicious email or text message, report it to PayPal at firstname.lastname@example.org.
Regularly monitor your PayPal account for suspicious activity, and contact PayPal if you notice anything unusual.
Create a strong, unique password and enable two-factor authentication to prevent hackers from accessing your PayPal account.
Use spam filters to block emails and stop spam texts going forward.