Scammers Alter PayPal Email Subjects to Push Tech-Support Scams
Scammers altered subject lines in genuine [email protected] messages that passed DKIM/SPF/DMARC to show a fake $987.90 charge and a phone number, prompting recipients to call fraudsters.
Security researchers identified emails sent from [email protected] in which the subject line showed a “Pending charge of USD 987.90” and a callback phone number while the email body displayed a small ¥1 JPY transaction. The messages included the recipient’s real name and a valid transaction ID and carried headers indicating DKIM, SPF and DMARC checks had passed.
Analysts found the HTML title tag matched the weaponized subject line. Because altering an email after it is cryptographically signed normally breaks DKIM, researchers say the injected text appears to have been added before signing. One plausible explanation is that scammers populated a note or remittance field that can surface in certain payout or notification templates and in the subject or title fields.
The apparent goal of the messages was to prompt immediate phone contact. By placing a large, unexpected dollar amount and a callback number in the subject line, the emails encouraged recipients to call the supplied number rather than verified PayPal channels. Callers who reach the perpetrators posing as PayPal support may be asked to confirm payment methods, provide banking information, install remote‑access software or hand over control of accounts and devices.
An automated scam‑detection tool classified the sample as a “call back” scam. The phone number in the subject line was not the legitimate PayPal contact, which appeared only inside the authenticated message body. Researchers advise submitting suspicious emails, texts and screenshots to automated analysis services when available.
Consumers are advised not to call phone numbers shown in unexpected emails and to use verified support pages or the official PayPal app for account issues. Suspicious messages can be forwarded to [email protected] to assist investigations. If someone believes they have been victimized, experts recommend contacting the bank or card issuer to report unauthorized transactions and seek reversals, filing complaints with the Federal Trade Commission or local law enforcement, changing affected passwords and enabling two‑factor authentication, and running full malware scans on any device that may have been accessed.
The incident follows a December 2025 case in which attackers created and paused subscriptions to trigger legitimate PayPal notifications and then used forwarding lists to distribute them. The recent subject‑line manipulation uses an authenticated channel to surface misleading content in the elements recipients see first. PayPal was contacted for comment.
