How to help protect your business from phishing and spoofing attempts.

Sep 19 2022 | PayPal editorial staff

It’s not always easy to spot a scammer, especially when they disguise themselves as a reputable brand.

When scammers make communications look, feel, and sound like the reputable organization they’re impersonating, it’s known as spoofing. Phishing is an attempt to gain access to your sensitive data via fake emails, websites, text messages, or voicemails. Here are a few things to watch out for, to help make sure you don’t fall for these types of scams.

1. Fake emails. One of the most common phishing scams involves sending an email that claims to be from a well-known company — like PayPal. The emails may ask you to:

  • Visit a fake or "spoof" website
  • Call a fake customer service number
  • Open attachments that install malicious software on your computer when opened or
  • Open attachments you didn’t request

You may already have a good eye for fake emails but just in case, watch out for ones that:

  • Start with a generic greeting instead of your name
  • Have poor grammar or many typos
  • Create a sense of urgency or;
  • Ask for personal information like credit or debit card numbers, bank account information, driver’s license number, passwords or your full name. PayPal will never ask for sensitive information in an email.

And when you suspect an email is fake, don't open it, reply to it, click on any links or download any attachments.
 
Tip: Use caution if you get an unexpected payment notification via email. Always verify every payment notification by logging in to your PayPal account and locating the corresponding transaction. All transactions (even pending ones) sent by you, or to you, will show up in your transaction history.

2. Fake websites. A fake website usually works in tandem with a fake email. A link in the email takes you to a site that looks legitimate, and asks you for your password, credit or bank information and/or SSN. These are the red flags of a fake website:

  • The URL includes non-secure links. To know if it’s a secure link, check that the URL begins with ‘https’, like in this one: https://www.paypal.com/us. Also look for the "lock" symbol that appears in the address bar or the lower right-hand corner of your browser. This symbol indicates you’re on a secure site.
  • The URL directs to a completely different website.


3. Fake text messages. Fake text messages, also known as smishing, are when a cyber criminal is phishing using SMS. You receive an urgent text message with a fake phone number or URL that looks like this:
 
“Your PayPal account has been suspended due to suspicious activity. Please contact us immediately at 1-408-123-4567. It is imperative that we speak to you as soon as possible.”  
 
If you call the number, you’re confirming you have a PayPal account, and the scammer will ask for your account information. 
 
Scammers may also use a fake link instead of a phone number.
 
4. Fake voicemails. Fake voicemails, also known as vishing, are when a scammer uses an automated system to make voice calls. Typically, the calls mention an “urgent account problem” and ask you to share account information to remedy it. An example of a vishing attempt is: 
 
“This is PayPal calling about a possible fraudulent transaction on your account. Please enter your PIN now to hear the transaction details.”
 
When you enter your PIN, the scammer gets the key they need to access your account. 
 
Never provide any account information unless you initiated the phone call. Caller IDs are also easily tricked, so don’t rely on them to verify the call is authentic. 
 
How to protect yourself from phishing and spoofing.
If you think you’ve clicked a bad link, close out of it immediately, run an antivirus check, and then change your password and security questions. Remember, it’s important you run an antivirus check first because you might’ve gotten malware from clicking the link, and the malware can still pick up your new password. 
 
Then, contact your bank or card issuer and explain the situation. Make sure to review your transaction history over the next few weeks to ensure there are no unauthorized transactions on your account, and if there are, report them immediately.
 
Seems phishy?
If you receive an email that you believe could be phishing, don’t respond in any way and also don’t click any links or open any attachments. Instead, simply forward the email to spoof@paypal.com. In order to investigate the email just as you received it, we ask that you don’t change the subject line or send the suspicious email as an attachment. After forwarding to us, delete the email from your account so that there’s no further threat to you. 
 
How do you know when the communication you’ve received is actually from PayPal? 
Be assured that we will never send a request for information via email. Instead, we direct account holders to log in to their account and visit the Resolution Center. You know you’re working on the real PayPal site when the URL is https://www.paypal.com
 
Additional tools.
In addition, to help prevent a cyber criminal from using phished information in a transaction with your business, the following tools are available through PayPal and other fraud management vendors:

  • Address Verification Service (AVS). Use AVS to verify if the billing address matches the one the card issuer has on file.
  • Card Security Code (CSC). The CSC is the three- or four-digit number located on the back of the card that confirms the customer has the card in their possession.
  • Bank Identification Number (BIN). The first six numbers listed on a card are known as the BIN and identify the financial institution that issued the card.
  • IP geolocation. IP geolocation pinpoints the location of the computer used for the transaction; checking the geolocation details against the billing and shipping address your customer provided can flag possibly fraudulent transactions.
 


No matter how vigilant you are, inevitably, you will let down your guard and be tempted to click an unsecure link. To help protect you while you browse (and take away some of the stress), there are several site safety rating tools1 available:

  • SiteAdvisor.com
  • MyWOT.com
  • Safeweb.Norton.com

These services collect reports about suspicious sites and rank them. They can’t catch every bad link, but they can be a good first line of defense. 
 
We want to help keep your information secure, and alerting us to possible scam attempts helps protect the PayPal community. 
 
You can also access additional information on online security here or by reviewing our FAQs at the bottom of this page.
 

The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

1 These products aren’t affiliated with PayPal and may require additional costs.

Was this content helpful?

Frequently asked questions.

PayPal regularly conducts research and sends surveys to gather feedback on our products and services. We invite some customers through phone or email to participate in these research studies. Customers can participate in the research from their home or in person at one of our PayPal sites like San Jose or Austin.

If you’re invited to participate in a research study via email the email will come directly from a PayPal employee’s email (greatemployee@paypal.com) or from research@paypal.com. If contacted by phone, the employee should provide their full name and reason for calling. We’ll never ask you to provide your financial details or personal information like your password. If you think an email is fake or suspicious you can forward it to phishing@paypal.com.  For more information on how to spot fake emails, click here.
You may be receiving emails from us because a PayPal account has been registered with your email.
 
Someone may have mistakenly added it to their account when they signed up, either mistyping it or intentionally entering an email that wasn’t theirs.
 
Or it was recycled by a domain provider like Gmail, Hotmail, etc. If you have an email account and stop using it for a while, the domain provider can reissue the email address to the public and allow it to be used again by someone else.
 
If you want to stop receiving those emails, send us a message at unsolicitedemail@paypal.com.   
 
Tips:
  • Email us using the email address where you’re receiving PayPal emails
  • Include a statement acknowledging you don’t have a PayPal account and would like your email removed from the PayPal system
If you’re not sure the email you received is from PayPal, check our tips to learn more about email phishing and how to spot a fake email.

Before you begin 
 
A limited account means that you won’t be able to do certain things with your PayPal account. For example, you might not be able to send or withdraw money. 
 
Usually, we ask you to complete some steps to remove your account limitation. Go to your
Resolution Center or click the bell icon at the top of your Summary page for more info. 


If all the steps are completed and your account remains limited, it means one of two things: 

  • We've already reviewed your account and sent you an email asking for more information, or 
  • We're still reviewing the information you provided. 

If you're required to upload documents, review our tips for submitting documents.

The time it takes to resolve an account limitation depends on the complexity of your specific case. 

In most cases, our customer service team can't remove your limitation over the phone. Please wait for us to contact you. 

Note: If you received an email stating that your account is limited, but don't see any limitation in the Resolution Center, you may have received a fake email. Forward it to phishing@paypal.com and we’ll investigate it for you. After you send us the email, delete it from your inbox. If you clicked any links or downloaded any attachments within the suspicious email or website, log in to your account and view your transactions. It’s also a good idea to change your password. Click More about email phishing for more information. 

The majority of Unauthorized Account Access cases are a result of inadvertently providing account information, such as bank or credit card account numbers, on fake PayPal websites or in response to fake PayPal emails.

PayPal will always address you by your first and last name whether it’s a contact by phone or email. If an email or phone call claims there are issues with your account, log in to your PayPal account and check the Resolution Center. Any account issues will be listed there.

Stay safe. Don't respond to emails or phone calls asking for any of the following:
  • Your password and email address combination
  • Credit card numbers
  • Bank account numbers
  • Social Security numbers
  • Driver's license number
  • First and Last Names

Always log in to the PayPal site
  • PayPal will only ask for information after you’ve securely logged in.
  • For your security, PayPal will never ask you to re-enter your full bank account, credit, or debit card number without providing you at least the last two digits of the number. These digits let you know that we already know the full number and are asking you for the rest of it. Beware of any website or email asking for these numbers for "verification" that doesn’t provide the last two digits.
Web pages
  • When using the PayPal service, always make sure the PayPal URL address listed at the top of the browser begins with "https." The "s" ensures that the website is secure. Even if the URL contains the word "PayPal," it may not be a PayPal webpage.
  • Look for the "lock" symbol that appears in front of or behind the URL. This symbol indicates that you are on a secure site.
Don’t download attachments, software updates, or any application to your computer via a link you received in an email. PayPal won’t ask you to download anything for your account to work.

Password
  • Use a unique password for your PayPal account and change it every 30-60 days.
  • The password should be one that isn’t used on any other site, service, or login.
If you think you’ve received a fraudulent email, please forward it to phishing@paypal.com and then delete the email from your mailbox. Never click any links or attachments in a suspicious email.

To learn more about online safety, click Security near the bottom of any PayPal webpage.

We’ll use cookies to improve and customize your experience if you continue to browse. Is it OK if we also use cookies to show you personalized ads? Learn more and manage your cookies