Researchers have discovered a sophisticated phishing campaign targeting PayPal users. This scam utilizes a convincing subject line of “Set up your account profile,” prompting users to read the email for further information. Upon further inspection, the sender address appears legitimate — because it is. However, malicious actors have spoofed the email address by leveraging software or programs that enable them to present the sender address as any address they want.
While the email subject line expresses intention to establish an account profile, the content of the email does not. Instead, it claims to have detected a new payment of a large amount (approximately $1,000) that the user must call a listed phone number to dispute. According to the researchers, this phone number is linked by the Better Business Bureau to known scams. There is also a link included in the email, prompting the user to finish setting up their account, which is stated to expire in 24 hours. By clicking this link, the target start the process of adding a secondary user to their account — granting the malicious actor the ability to finances in the account.
Malicious actors send these emails to a distribution list rather than an individual, aiming to compromise targets in bulk.
Ensar Seker, CISO at SOCRadar, comments, “At first glance, it may appear like just another scam, but it highlights a growing sophistication in how attackers weaponize trust, familiarity, and urgency. What stands out in this case is the use of email spoofing combined with psychological pressure, a classic one-two punch. Spoofing the sender address to mimic PayPal adds a false sense of legitimacy, while the alarming message about a nearly $1,000 unauthorized charge triggers panic. This kind of emotional manipulation is exactly what makes phishing so effective: it hijacks the victim’s instinct to act before thinking. The attackers also cleverly obscure their tracks by using odd recipient addresses and distribution lists, likely to bypass simple recipient verification and to cast a wider net. That detail alone suggests this wasn’t a one-off email but a scaled campaign, which raises the stakes for detection and response.
“From a technical standpoint, these types of threats bypass many traditional security controls, especially if there’s insufficient email authentication in place like lacking proper SPF, DKIM, and DMARC configurations. Organizations must ensure those protocols are correctly implemented to prevent spoofed emails from ever landing in inboxes.
“On the user side, education remains vital. Even though the visual layout of the phishing email imitates PayPal’s design, a trained eye can spot the inconsistencies. But let’s be clear, users shouldn’t have to carry the burden of being the final line of defense. We need to build systems that assume attackers will get through and are resilient enough to stop damage downstream. We also need to treat email security as part of a broader threat intelligence operation. That’s why real-time visibility into spoofed domains, impersonation attempts, and phishing infrastructure is essential, not just for defense, but for proactive disruption.”