Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PayPal Subscriptions fake purchase email scam campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The PayPal Subscriptions email scam is abusing legitimate PayPal mail to deliver fake purchase notifications, increasing the chance that messages evade filtering and reach recipients. The operation uses a fraudulent support number and scare tactics to push people into calling about a supposed charge. It has been active over the past couple of months, suggesting a continuing phishing and social-engineering effort rather than an isolated message. The delivery method matters because the emails can appear to come from [email protected] and pass DKIM/SPF checks.

Related Happenings

Apple account change notification phishing campaign

Campaign
First: 19.04.2026 19:03 Last: 19.04.2026 19:03 Sources 1

About this happening: A **callback phishing campaign** is abusing **Apple account change notifications** to deliver fake **iPhone purchase** scams through legitimate emails, making the lure look authen...

Open Happening

Phishing-led RMM abuse campaign using fake PayPal alerts

Campaign
First: 14.01.2026 18:00 Last: 14.01.2026 18:00 Sources 1

About this happening: A **phishing-led intrusion campaign** is abusing legitimate **RMM tools** to move from personal accounts into corporate environments, creating stealthy remote access and persisten...

Open Happening

Smishing Triad Lighthouse SMS phishing campaign targeting mobile users

Campaign
First: 13.11.2025 16:47 Last: 13.11.2025 16:47 Sources 1

About this happening: The **Smishing Triad** is running a **large-scale SMS phishing campaign** through **Lighthouse**, using trusted-brand impersonation to reach **millions of text messages** and more...

Latest development: 14.11.2025 11:45

Google said Lighthouse, the phishing-as-a-service kit linked to the Smishing Triad, was used to launch 32,094 distinct US Postal Service (USPS) phishing websites from July 2023 through October 2024, and that at least 116 templates featured Google logos or branding while the operation targeted over one million people in over 121 countries.

Open Happening

ParkMobile SMS phishing campaign targeting customers

Campaign
First: 05.10.2025 15:16 Last: 05.10.2025 15:16 Sources 1

About this happening: A **ParkMobile** smishing campaign is actively targeting the company's **customer base** this week, pushing recipients toward **phony payment links** that could enable fraud or cr...

Open Happening

ICloud Calendar callback phishing campaign

Campaign
First: 07.09.2025 20:10 Last: 07.09.2025 20:10 Sources 1

About this happening: A **callback phishing campaign** is abusing **iCloud Calendar** and **Apple's email servers** to send fake purchase-notification emails that are more likely to **bypass spam filte...

Open Happening

Timeline

  1. 14.12.2025 18:06 1 articles · 5mo ago

    PayPal scam email observed with fake purchase notice

    Exploitation Observed

    A scam email used PayPal's Subscriptions workflow to send a legitimate message from [email protected] that embedded fake purchase text in the Customer service URL field, including a claimed payment of $1346.99 and a fraudulent support number, while the headers showed DKIM and SPF pass and delivery from mx15.slc.paypal.com on Fri, 28 Nov 2025 09:14:49 -0800 (PST).

    Show sources
    Open in new tab
  2. 14.12.2025 18:06 2 articles · 5mo ago

    PayPal Subscriptions scam described as ongoing phishing

    Initial Disclosure

    Recipients reported over the past couple of months receiving PayPal messages stating 'Your automatic payment is no longer active' that inserted fake purchase notices for devices such as a Sony device, MacBook, or iPhone, using the trusted [email protected] sender to bypass spam filters and push targets toward the scammer's +1-805-500-6377 support number.

    Show sources
    Open in new tab