17 PayPal Scams to Watch Out For—and How to Avoid Them

With more than 434 million users and counting, PayPal is an attractive target for scammers. Many online scams that involve payment apps—including Cash App, Venmo, and Zelle—bank on the fact that users don’t understand how these services work or use them carelessly, leaving users vulnerable to bad actors looking to steal their money, financial information and more.

That doesn’t mean you need to delete your PayPal account, though. You can still take advantage of all the features PayPal has to offer by using it smartly and knowing how to spot the signs of a scam. To help you do just that, we got the download from cybersecurity experts on what PayPal scams to look out for and how to avoid them.

What is PayPal?

PayPal is an all-in-one digital payment platform that offers an alternative to traditional banking methods. To create a PayPal account, users must first link their bank accounts or credit cards to the system. From there, they can log in through their computer or smart device and make purchases from third-party retailers, accept payments and deposits, or transfer money or cryptocurrency between accounts.

Can you get scammed with PayPal?

Unfortunately, it is all too easy for scammers to steal your money or financial information through PayPal. “There are different scams and fraud attempts deployed by identity criminals trying to steal your money, financial information and more” on PayPal’s platform, according to Eva Velasquez, president and CEO of Identity Theft Resource Center.

But keep in mind that PayPal isn’t the only place you could get scammed. “It is important to note that you can be scammed with any site or service,” says Alex Hamerstone, a director with TrustedSec, an ethical hacking company.

What are some common PayPal scams?

champpixs/Getty Images

While scammers can be sneaky and convincing, their scams also tend to have some common themes that make them easier to identify. Here are some of the most prevalent.

Order confirmation scam

In the majority of PayPal-related scams, scammers use phishing emails to impersonate PayPal. Here’s how this one works: Criminals will create a fake or “spoofed” email address that appears to be from PayPal. Then they will send you an email that looks like an order confirmation for a recent purchase. You will be asked to check the status of your order by logging in to your account through a link included in the message.

These phishing emails take many different forms, but “what remains the same each time is what the criminal is ultimately after,” says Karim Hijazi, CEO of the cybersecurity company Prevailion and former contractor for the U.S. intelligence community. “They want to steal your PayPal login credentials by tricking you into signing in to your account through a spoofed web page.” Once the scammer captures your login information, they can use it to log in to your account and make purchases, withdraw money or carry out a doxxing attack, among a host of other things.

Fake fraud alert scam

Beware of unsolicited text messages that look like fraud alert notifications from PayPal. Known as “smishing” attacks (short for SMS plus phishing), these fake fraud alerts are tough to spot because the messages can vary. Some might warn that someone is trying to access your account, while others will report suspicious activity on your profile. “There is a wide range of fake alerts that scammers will use, and every one of them will be different,” says Hijazi.

While PayPal does send text messages or emails for one-time login codes or two-factor authentication, receiving a PayPal notification unexpectedly is a sign that you might be dealing with a scam. The text may appear to come from a legitimate PayPal phone number, but the link in the message could actually take you to a fake PayPal login page that steals account details like your password when you try to enter them. Clicking on the link could also accidentally download malware that allows someone to spy on your iPhone, so make sure to delete any phony texts as soon as you receive them.

Docusign email scam 

Since early 2025, scammers have been setting up Docusign accounts and using templates provided by Docusign to impersonate PayPal customer service representatives, according to Malwarebytes. They send an email through Docusign to let you know they’ve identified an unauthorized transaction and you need to contact them immediately to process a refund. Ultimately, the goal is to get your financial information. 

“This scam is especially effective as it uses a legitimate services to impersonate a legitimate entity to convince the victim of the authenticity of the message,” says Seth Ruden, a certified fraud examiner and global advisory director for the U.S. and Canada at BioCatch, a cybersecurity company specializing in digital fraud prevention. Many of us are used to routine Docusign emails for official documents. Pair that with the urgency of needing to address a security issue, and it’s easy to fall for this one. 

Google ads customer support scam 

Another scam Malwarebytes identified in early 2025 involves luring in PayPal customers with Google ads for customer support that look real. After hacking advertisers, scammers post Google ads tied to the official PayPal website—so you see “paypal.com” on the search listings—but they direct you to pages with phony phone numbers. On the other end of the line, cybercriminals are waiting to steal your personal information. “The sleight of hand at the core of this scam is a seemingly authentic way for people to access customer support,” says Ruden. We think we can trust Google search and the customer service number that pops up—but even Google ads can be hacked and exploited.

Unsolicited payment or transfer request scam

Before accepting an unexpected payment or transfer request on PayPal, take a close look at the message. Some scammers create profiles that impersonate real people or businesses—even going so far as to steal their usernames and profile pictures.

You should report the scam to PayPal if you end up accepting the scammer’s request and sending them money. However, PayPal can’t guarantee that you will receive a refund. That’s why you should avoid getting scammed in the first place by always initiating transactions and never accepting unsolicited payment or transfer requests on PayPal, Velasquez says.

Password reset request scam

Received a password reset notification from PayPal out of the blue? Don’t click any links in the text message or email, Hamerstone says. Instead, log in directly through PayPal’s app or website through your browser and change your password immediately, in case your account has been hacked.

Scammers often create fake password reset alerts that appear to be from PayPal too. By clicking a link attached to the text message or email, you could accidentally share your login credentials with scammers or download malware. Beefing up your iPhone security and checking these iPhone privacy settings can protect you if a hacker gains access to your smartphone.

Fake charity scam

Another common PayPal scam uses fake charities to solicit donations from unsuspecting users. The fraudster will create a webpage for a phony charity organization, then contact victims asking for donations via PayPal. Although they may share forged confirmation emails or receipts to make it appear as though the transaction is legitimate, in reality, they have already taken off with your money. These fake charity sites are getting more convincing, but there are ways to spot fake donation scams so you don’t fall victim going forward.

Promotional offer scam

Like fake fraud alerts or order confirmation emails, this scam relies on a spoofed email address or phone number that makes their message appear to be from PayPal. The message notifies users that they have qualified for a promotional offer and money has been deposited into their account. Ultimately, the scammer is hoping to trick the user into entering their PayPal login credentials on a fake webpage or clicking an attachment that infects their phone with a virus.

Prize winnings scam 

In a similar scheme, scammers claim you’ve won a prize—you just have to pay a small handling fee to get it. “Scammers may send out messages or emails with links to claim fake prizes or rewards, often asking for login information,” says Brian Cute, the CEO and capacity and resilience program director for the Global Cyber Alliance. They may claim you “deserve” a payment—yet they ask you to send them money, he says. Of course, a legitimate prize requires no upfront payment.

Investment scam 

This scam comes down to the same old advice: If it’s too good to be true, it’s too good to be true. Any time someone asks you to send them an initial payment to invest in some sort of investment scheme online, red flags should immediately pop up for you—especially if it involves cryptocurrency, a favorite for scammers. “Never perform any investments in cryptocurrency via peer-to-peer vendors like PayPal,” says Ruden. “These are always scams.”

Refund request scam

Receiving a random PayPal transfer is not always an honest mistake. In fact, scammers often use this trick to fool you into giving them money. The fraudster might use the stolen financial information from a hacked PayPal account to transfer several hundred dollars to your account, then send you a message saying: “Oops! Can you send that back?” The money that you send goes to the criminal’s personal card—which they have added to the fake account—and the stolen funds are removed from your account.

Overpayment scam

Turns out, everyday users are not the only victims of PayPal scams; criminals target sellers and retailers through PayPal too. For example, a fraudster will overpay for an item using a fake or stolen credit card or bank account number, then contact the seller to ask them to return the overpaid amount, usually to a different account than the one they used to make the initial payment. Once they get the money back, the scammer will contact PayPal to cancel the original transaction, leaving the seller out of both their product and payment.

Shipping address scam

When you sell something online, always verify the address where you are shipping the item. Some scammers will purchase goods through PayPal but give the seller an invalid delivery address. After the shipping company marks the package as undeliverable, the buyer will contact the shipping company to change the address and request a refund from PayPal on the undelivered order.

Prepaid shipping label scam 

Some scammers target sellers on PayPal by asking you to use a prepaid shipping label to send whatever they’ve purchased. “What occurs here is the seller is losing their online protections, as the label puts the package under the scammer’s control,” explains Ruden. Often, they’ve made the purchase with a stolen credit card or want to send the package to an untraceable location. To avoid this scam and stay covered under PayPal Seller Protection, don’t accept alternative shipping labels and only ship to the transaction address, PayPal advises.

Buyer protection scam 

In an ideal world, PayPal’s Purchase Protection—previously known as Buyer Protection—shields you from scams by reimbursing you if an item isn’t received or is significantly different from the seller’s description. Unfortunately, scammers have found ways to take advantage of this policy.  

Say you receive a fake gemstone that looks nothing like the photo online. Because it’s your word against theirs, some buyers and sellers argue PayPal has ruled in favor of the scammer over them in similar cases. Others point out that even if PayPal rules in your favor, you’re forced to send back the defective item to the fraudulent seller in order to receive a refund. That’s enough of a hurdle that some people just accept their losses and walk away.

Friends and family scam 

Other scammers dodge Purchase Protection entirely by asking you to pay for items like scalped tickets through the ‘friends and family’ function. It’s the ideal loophole for tricksters because these transactions are not protected. Key takeaway: Reserve ‘friends and family’ transactions for friends and family.

Hacked account scam

If a cybercriminal learns the login credentials and gains access to a PayPal account through a phishing attack, they can use that account to scam other users as well. They may transfer funds to your PayPal account as payment for a product or service, but after they receive the product, the money disappears from your account. More than likely, PayPal withdrew the money after getting word that the account was hacked.

How do I avoid getting scammed on PayPal?

Let’s be honest: Cybercriminals will never stop trying to scam you. But there are some steps you can take to protect yourself against future PayPal scams. Experts recommend following these tips to outsmart scammers.

1. Always initiate transactions on PayPal. If you receive a request for money, do not accept it until you verify that it is legitimate.
2. Never click on any links or attachments or respond to any unexpected messages from PayPal. Instead, reach out to PayPal directly to confirm that the message is real.
3. Look for generic greetings, typos or incorrect grammar in messages from PayPal, which could be red flags of a scam.
4. To find out whether an email message is actually from PayPal, click the “view source” or “open original” button in your email account. This will show the full header and routing details for the email you received. Find the line item in the header called “return-path,” which tells you whether the email you received came from PayPal or a fake email address. A phony sender’s address might be scrambled or off by one or two letters.
5. Never log in to your PayPal account through a link that is shared with you via email, text message or other means. Instead, log in directly from your web browser or app.
6. Rather than calling a phone number that has been provided to you in a message from PayPal, contact PayPal directly by looking up its publicly listed phone number.
7. Never share your account information, including passwords, bank account or payment card information, by email or over the phone.
8. If you receive a fake or suspicious email or text message, report it to PayPal at [email protected].
9. Regularly monitor your PayPal account for suspicious activity, and contact PayPal if you notice anything unusual.
10. Create a strong, unique password and enable two-factor authentication to prevent hackers from accessing your PayPal account.
11. Use spam filters to block emails and stop spam texts going forward.

Bottom line: “Consumers need to have a sense of skepticism and look for red flags,” says Cute. When you receive unsolicited messages from PayPal, “it’s always a good idea to contact PayPal at their verified customer service center to ask them whether they sent the email or payment request.” Don’t click mysterious links, avoid panicking over unsolicited emails and texts, and if it’s too good to be true, run.

Why trust us

Reader’s Digest has published hundreds of articles on personal technology, arming readers with the knowledge to protect themselves against cybersecurity threats and internet scams as well as revealing the best tips, tricks and shortcuts for computers, cellphones, apps, texting, social media and more. For this piece on tech tips, Brooke Nelson Alexander tapped her experience as longtime journalists and tech reporter. We rely on credentialed experts with personal experience and know-how as well as primary sources including tech companies, professional organizations and academic institutions. We verify all facts and data and revisit them over time to ensure they remain accurate and up to date. Read more about our team, our contributors and our editorial policies.

Sources:

• Statista: “Global user number of PayPal from 1st quarter 2010 to 4th quarter 2024
• Eva Velasquez, president and CEO of the Identity Theft Resource Center
• Alex Hamerstone, director of advisory solutions at TrustedSec
• Karim Hijazi, founder and CEO of Prevailion
• Malwarebytes: “PayPal scam abuses Docusign API to spread phishy emails”
• Seth Ruden, certified fraud examiner and global advisory director for the U.S. and Canada at BioCatch
• Malwarebytes: “PayPal’s “no-code checkout” abused by scammers”
• Brian Cute, CEO and capacity and resilience program director for the Global Cyber Alliance
• PayPal: “Common types of ecommerce fraud and how to prevent them
• PayPal: “What are common scams and how do I spot them?” 
• PayPal: “PayPal Purchase Protection”
• PayPal: “PayPal’s Purchase Protection Program”
• WA Government: “Scammers exploit payment loophole on PayPal” 
• PayPal: “What’s the difference between friends and family or goods and services payments?” 

nortonrsx/Getty Images

How to Spot Apple ID Phishing Scams

rd.com, Getty Images

What Is Vishing?

TATSIANAMA/Shutterstock

Avoid Calls from These Area Codes