525/68 Tuesday, December 16, 2025
A new cyber fraud technique has been identified in which scammers abuse legitimate systems in a “Living off the Land” attack. In this case, attackers are exploiting PayPal’s Subscriptions feature to send phishing emails directly to victims. These emails originate from the legitimate address service@paypal[.]com, allowing them to bypass spam filters and email authentication checks such as SPF and DKIM, which causes many recipients to trust the messages as genuine PayPal notifications.
The scammers’ method involves creating a merchant account and using the “Pause subscription” function, which triggers PayPal’s automated notification system to send an email to the victim stating that “your automatic payment status has changed.” The key deception lies in the “Customer service URL” field, where the attackers insert misleading text claiming that a high-value purchase (such as a Sony TV, MacBook, or iPhone) totaling more than USD 1,300 has been charged. The message also includes a fake phone number, urging victims to call to cancel or dispute the transaction.
The goal of this attack is to induce panic and trick victims into calling the fraudulent call center number, which then leads to vishing (voice phishing) attempts or instructions to install malware on the victim’s computer. Users who receive such PayPal emails are strongly advised to verify the information only by logging directly into their PayPal account via the official website or mobile app, and never to call phone numbers provided in the email. PayPal has acknowledged the issue and is reportedly working on mitigations to prevent further abuse of this feature.
