A widespread phishing scam is exploiting PayPal’s “new address” feature to send fraudulent purchase notifications to users, tricking them into granting remote access to scammers.
The scam involves adding a fake address to a PayPal account, along with a fabricated purchase confirmation message, which triggers a legitimate PayPal email notification to the account holder.
The email, sent directly from PayPal, includes a fake purchase confirmation for a high-value item, such as a MacBook, and instructs the recipient to call a provided phone number if the purchase was unauthorized.
When victims call the number, scammers pose as PayPal support and convince them to download remote access software, such as ConnectWise ScreenConnect, allowing the scammers to take control of their computers.
The scammers then attempt to steal money, deploy malware, or steal sensitive data.
This scam is made possible by PayPal’s lack of character limits in address form fields, allowing scammers to inject their fraudulent messages. PayPal needs to implement character limits to prevent this abuse. Users are advised to ignore these emails and verify any account changes directly through the PayPal website.