How to help protect your business from phishing and spoofing attempts.
1. Fake emails. One of the most common phishing scams involves sending an email that claims to be from a well-known company — like PayPal. The emails may ask you to:
- Visit a fake or "spoof" website
- Call a fake customer service number
- Open attachments that install malicious software on your computer when opened or
- Open attachments you didn’t request
- Start with a generic greeting instead of your name
- Have poor grammar or many typos
- Create a sense of urgency or;
- Ask for personal information like credit or debit card numbers, bank account information, driver’s license number, passwords or your full name. PayPal will never ask for sensitive information in an email.
Tip: Use caution if you get an unexpected payment notification via email. Always verify every payment notification by logging in to your PayPal account and locating the corresponding transaction. All transactions (even pending ones) sent by you, or to you, will show up in your transaction history.
2. Fake websites. A fake website usually works in tandem with a fake email. A link in the email takes you to a site that looks legitimate, and asks you for your password, credit or bank information and/or SSN. These are the red flags of a fake website:
- The URL includes non-secure links. To know if it’s a secure link, check that the URL begins with ‘https’, like in this one: https://www.paypal.com/us. Also look for the "lock" symbol that appears in the address bar or the lower right-hand corner of your browser. This symbol indicates you’re on a secure site.
- The URL directs to a completely different website.
3. Fake text messages. Fake text messages, also known as smishing, are when a cyber criminal is phishing using SMS. You receive an urgent text message with a fake phone number or URL that looks like this:
“Your PayPal account has been suspended due to suspicious activity. Please contact us immediately at 1-408-123-4567. It is imperative that we speak to you as soon as possible.”
If you call the number, you’re confirming you have a PayPal account, and the scammer will ask for your account information.
Scammers may also use a fake link instead of a phone number.
4. Fake voicemails. Fake voicemails, also known as vishing, are when a scammer uses an automated system to make voice calls. Typically, the calls mention an “urgent account problem” and ask you to share account information to remedy it. An example of a vishing attempt is:
“This is PayPal calling about a possible fraudulent transaction on your account. Please enter your PIN now to hear the transaction details.”
When you enter your PIN, the scammer gets the key they need to access your account.
Never provide any account information unless you initiated the phone call. Caller IDs are also easily tricked, so don’t rely on them to verify the call is authentic.
How to protect yourself from phishing and spoofing.
If you think you’ve clicked a bad link, close out of it immediately, run an antivirus check, and then change your password and security questions. Remember, it’s important you run an antivirus check first because you might’ve gotten malware from clicking the link, and the malware can still pick up your new password.
Then, contact your bank or card issuer and explain the situation. Make sure to review your transaction history over the next few weeks to ensure there are no unauthorized transactions on your account, and if there are, report them immediately.
If you receive an email that you believe could be phishing, don’t respond in any way and also don’t click any links or open any attachments. Instead, simply forward the email to email@example.com. In order to investigate the email just as you received it, we ask that you don’t change the subject line or send the suspicious email as an attachment. After forwarding to us, delete the email from your account so that there’s no further threat to you.
How do you know when the communication you’ve received is actually from PayPal?
Be assured that we will never send a request for information via email. Instead, we direct account holders to log in to their account and visit the Resolution Center. You know you’re working on the real PayPal site when the URL is https://www.paypal.com.
In addition, to help prevent a cyber criminal from using phished information in a transaction with your business, the following tools are available through PayPal and other fraud management vendors:
- Address Verification Service (AVS). Use AVS to verify if the billing address matches the one the card issuer has on file.
- Card Security Code (CSC). The CSC is the three- or four-digit number located on the back of the card that confirms the customer has the card in their possession.
- Bank Identification Number (BIN). The first six numbers listed on a card are known as the BIN and identify the financial institution that issued the card.
- IP geolocation. IP geolocation pinpoints the location of the computer used for the transaction; checking the geolocation details against the billing and shipping address your customer provided can flag possibly fraudulent transactions.
No matter how vigilant you are, inevitably, you will let down your guard and be tempted to click an unsecure link. To help protect you while you browse (and take away some of the stress), there are several site safety rating tools1 available:
We want to help keep your information secure, and alerting us to possible scam attempts helps protect the PayPal community.
You can also access additional information on online security here or by reviewing our FAQs at the bottom of this page.
1 These products aren’t affiliated with PayPal and may require additional costs.
Frequently asked questions.
When you aren't sure if you can trust a communication claiming to be from PayPal, check to see if the message does any of the following:
Uses impersonal, generic greetings, such as “Dear user” or “Dear [your email address].”
Emails from PayPal will always address you by your first and last names or by your business name. We never say things like "Dear user" or "Hello PayPal member.”
Asks you to click on links that take you to a fake website.
Contains unknown attachments.
Only open an attachment if you're sure its legitimate and secure. Be particularly cautious of invoices from companies and contractors you're not familiar with. Some attachments contain viruses that install themselves when opened.
Conveys a false sense of urgency.
Phishing emails are often alarmist, warning you to update your account immediately. They're hoping you'll fall for their sense of urgency and ignore warning signs that the email is fake. If there’s an urgent need for you to complete something on your account, you can find this information by logging into PayPal.
The following are common scams where fraudsters use spoofed emails. When in doubt, always log in to PayPal and view the Resolution Center for any notifications.
Many fraudsters send spoofed emails warning you that your account is about to be suspended. The email will ask you to enter your password in a (spoofed) webpage. We’ll only ask you to enter your password on our login page.
"You've received a payment."
Some fraudsters try to trick you in to thinking you've received a payment for an order. They want what you're selling for free. Before you ship anything, log in to PayPal and check that actually you received a payment. We'll never ask you to share a tracking number by email. If you received a payment, you’ll always see it in your PayPal activity.
"You’ve been paid too much."
Fraudsters may try to convince you that they overpaid for an item. For example, they’ll send an email that says they’ve paid you 500.00 USD for a camera you listed at 300.00 USD. The sender asks you to ship the camera in addition to the extra 200.00 USD you were “paid” by mistake. The fraudster wants your camera AND your money but hasn’t actually paid you at all.
Before sending anything, log in to PayPal and check that you received a payment.
Reporting Suspicious Communication
Phishing emails often lead you to fake websites to steal your private, sensitive data. These websites could look unusual or they could appear genuine but have a suspicious URL.
- Don’t click on any links inside of the email or in the website, and don’t download any attachments.  >
- Don’t enter any information.  >
- Don’t change the subject line and don’t forward the message as an attachment.  >
- Forward the email and/or website to firstname.lastname@example.org.  >
- Delete the email from your inbox.
If you receive a text message with a link inviting you to visit a website:
- Don’t click on any links inside of the SMS text message.  >
- Screenshot the message.  >
- Make sure that the message shows the full telephone number.  >
- Email the screenshot to email@example.com.
If you receive a suspicious telephone call:
- Take a screenshot of your phone log showing the telephone number  >
- Email the screenshot to firstname.lastname@example.org.  >
- Include details of the telephone call, including what the caller stated or asked from you.
When you send an email to email@example.com, you’ll receive an automatic email letting you know we received it.
Safeguarding Your AccountIf you shared financial or personal information, or entered personal information on a fake website:
- Change your PayPal password and security questions immediately.  >
- Contact your bank and credit or debit card issuer and let them know what happened.  >
- Review your recent PayPal activity to make sure you authorized all the payments.  >
- Report any unauthorized payments in the Resolution Center. Remember, you’re 100% protected against unauthorized payments sent from your account.
You can also learn more about recognizing and preventing fraudulent activity here:
- https://www.paypal.com/us/webapps/mpp/security/suspicious-activity  >
- www.ic3.gov (Internet Crime Complaint Center)  >
- www.fraud.org (Register complaint as well as receive tips to prevent)  >
- http://phish-education.apwg.org/r/en/index.htm (Anti-Phishing work group)  >
- Local law enforcement
Here's a video on identifying suspicious emails:
A strong password should have the following characteristics:
• More than 8 characters long.
• Use lower case, upper case, a number, and a special character [like ~!@#$%^&*()_+=?><.,/].
• Not a word or date associated with you (like a pet’s name, family names, or birth dates).
• A combination of words with unusual capitalization, numbers, and special characters interspersed. Misspelled words are stronger because they are not in the dictionary used by attackers.
• Something you can remember.
How often should I change my password?
We recommend you change your password and security questions from time to time. There are a few cases where it's a good precaution, for example:
• You notice something suspicious on your PayPal account.
• You suspect that someone you don’t trust has your password.
• You notice something suspicious in your email account or other online accounts.
• You have recently removed malware from your system.
• PayPal asks you to change your password.
If one of these occurs, change your Password, PIN, and security questions immediately. You can change these under personal settings.
If you receive an email asking you to change your password, it could be a case of phishing. Instead of clicking on a suspect link in an email, just log into your PayPal account by manually typing the URL. Click the Settings tab, and then Personal Info. You will find the password, security questions, and PIN (if you've set one up) on this page.
Information about validating your visitor's PayPal account.
Encrypted Website Payments
To make online payments more secure, you can make Encrypted Website Payment buttons that rely on standard public key encryption for protection.
PayPal offers a secure commerce Identity API that lets your customers sign in to your web site using their PayPal credentials.
Instant Payment Notification
Instant Payment Notification is a message service that automatically notifies merchants of events related to PayPal transactions.
Merchants, developers, and business solution providers use Invoicing APIs to automate the creation, delivery, tracking, and reconciliation of invoices with an integrated payments solution.
Accept PayPal, credit cards and other payments methods through mobile apps.
Name-Value Pair (NVP) API
Information and support on name value pairs and NVP SDKs.
PayPal Checkout gives your buyers a simplified and secure checkout experience that keeps them local to your website or mobile app throughout the payment process.
Payflow Pro is a high performance TCP/IP-based client-server architecture solution. It includes a secure payment gateway that gives merchants total control over the payment process.
PayPal Sandbox Support
Information and support for users testing in the PayPal Sandbox environment.
PayPal Shopping Cart
The PayPal Shopping Cart system allows buyers to select multiple items on your website and pay for them with a single payment.
Permissions Service API
PayPal's permissions service enables you to request and obtain authorization to make API calls and take action on behalf of your customers.
The PayPal SOAP API is based on open standards known collectively as web services, which include the Simple Object Access Protocol (SOAP), Web Services Definition Language (WSDL), and the XML Schema Definition language (XSD).
Testing Your Apps in Sandbox
A guide for developers testing their apps in the PayPal Sandbox environment.
Information about PayPal's Virtual Terminal - a web-based application that processes credit and debit cards, replacing swipe machines.
Website Payments Pro
PayPal's Website Payments Pro is an API-based solution that enables merchants and developers to accept credit cards, debit cards, and PayPal payments directly on their website.
PayPal Payments Standard
You can accept credit cards online easily and offers a streamlined checkout experience to customers using mobile devices.
Here are some definitions to help you understand the status of a payment you send:
- Pending: We’re reviewing the transaction. We’ll send your payment to the recipient after your payment source has been verified. Please review our additional Help Center articles if your order status is pending, or the payment you sent is pending but you'd like to cancel it.  >
- On hold: We’re holding the money temporarily because either you filed a dispute or we’re reviewing the transaction. Look for an email from us with more information about this transaction.  >
- Held: We’re reviewing the transaction and so your payment has been held. You should check the Resolution Center for more information.  >
- Temporary hold: Money from your account is being held temporarily during the authorization process. The recipient isn’t able to use or withdraw this money until the authorization is complete.  >
- Refunded: The recipient refunded your payment. If you used a credit card to make your payment, the money will be returned to your credit card. It can take up to 30 days for the refund to appear on your statement.  >
- Returned: Money was returned to your account because the recipient didn’t claim your payment within 30 days. PayPal members can manually reverse unclaimed payments before the 30-day automatic reversal.  >
- Denied: The recipient didn’t accept your payment, and the money was credited back to your account. View the transaction details to see why your payment was denied or contact the recipient for more information.  >
- Unclaimed: The recipient hasn’t accepted or received your payment. Unclaimed transactions are automatically canceled after 30 days.  >
- Completed: The transaction was successful and the money is in the recipient’s account.