A new wave of phishing attacks is targeting PayPal users with emails that appear highly convincing, urging recipients to “set up your account profile.” Despite looking legitimate at first glance, this campaign is designed to trick users into giving scammers access to their PayPal accounts.

How the Scam Works

The phishing emails appear to come from service@paypal.com or service@paypal.co.uk. Although the sender address looks authentic, attackers are using email spoofing—a technique that allows them to forge the “From” address and make the message seem legitimate. Since many email systems don’t strictly validate these details, the spoofed address can bypass basic detection.

Another giveaway is the recipient address, which often looks unusual. Instead of being personalized, the emails are sent through bulk distribution lists created with compromised or test domains (e.g., @something.test-google-a.com). This setup allows scammers to send phishing campaigns at scale while concealing their true intent.

The email’s subject line and body also raise multiple red flags. The subject claims the user needs to set up a profile, but the content references a fraudulent $910.45 charge at Kraken.com and provides a phone number already flagged by the Better Business Bureau as linked to scams. The email also:

• Creates urgency by stating the link expires in 24 hours
• Mentions a large amount of money to grab attention
• References a crypto wallet, playing on the lack of familiarity many users have with cryptocurrency
• Fails to address the recipient by full name, instead using generic greetings or none at all

While the email layout mimics a real PayPal message, these inconsistencies clearly identify it as a phishing attempt.

A More Sophisticated Twist

The most concerning element of this scam is the malicious link. Instead of pointing to a fake site, the button actually directs users to PayPal.com. However, instead of resolving an issue, the link initiates the process of adding a secondary user to the PayPal account. Once added, this secondary user could initiate payments, effectively allowing scammers to drain the victim’s funds.

With over 434 million active PayPal users worldwide, attackers have a massive pool of potential targets. Many phishing groups enhance their campaigns by purchasing or stealing databases of email addresses linked to PayPal, ensuring their scams are more precise and effective.

How to Protect Yourself

This campaign has reportedly been active for at least a month. To reduce the risk of falling victim:

• Watch for the red flags described above
• Research any unfamiliar phone numbers or email addresses to check for scam reports
• Always log in directly through PayPal.com to verify alerts or account activity
• Enable two-factor authentication (2FA) to add an extra security layer
• Forward suspicious emails to phishing@paypal.com and then delete them immediately

Final Thoughts

This phishing campaign highlights how cybercriminals are refining their techniques by blending authentic branding with malicious intent. By exploiting legitimate platforms and creating urgency, scammers are making their attacks harder to detect. Users must remain vigilant and adopt strong security practices to safeguard their accounts.

Source: https://www.malwarebytes.com/blog/news/2025/09/paypal-users-targeted-in-account-profile-scam