What Is the PayPal Invoice Scam and How to Avoid It

PayPal is an online payment system that enables secure transactions without sharing credit card numbers or bank information with third-party vendors. After you link your bank account and/or card information with a registered PayPal account, you can make purchases with the plethora of vendors who accept PayPal.

While PayPal makes online shopping convenient, the popular payment system is ripe with bad actors and scammers. These cybercriminals abuse PayPal's invoicing feature to trick victims into giving up money, sensitive information, or even remote access to their devices.

Learn how to identify the PayPal invoice scam, what to do if you’ve been scammed, and how identity theft protection services can help safeguard your digital data.

What is the PayPal invoice scam?

The PayPal invoice scam is a basic money request scam combined with clever phishing tactics. Cybercriminals use the payment system’s invoicing tool to send victims fake invoices for large purchases. When the invoices are sent, PayPal sends an official notification email to the recipient.

These official emails make the otherwise fake invoices appear legitimate from the victim’s perspective. The scammers include an official-looking message in the “seller note to customer” section of the fake invoice, encouraging the victim to call a fake customer service line to prevent the charges from being processed.

If the victim calls this line, the scammers attempt to fool the victim into paying the invoice or giving up personally identifiable information (PII), including financial data, such as PayPal account, credit card, or bank information. In some cases, the criminals ask victims to install software they claim will help with the recovery process. Instead, this software records the victim’s keystrokes or gives the criminals remote access to the victim’s computer.

This PayPal scam effectively takes advantage of the fact that anyone can send another PayPal user an invoice at any time. It also benefits from PayPal’s automatic email notification system to make the request seem official.

Is PayPal safe to use?

PayPal takes several measures to protect its user base:

• PayPal never shares complete financial information with sellers.
• PayPal monitors transactions 24/7.
• PayPal implements encryption technology that protects sensitive user information from being viewed if a system breach occurs.
• PayPal Purchase Protection covers sales and purchases made on PayPal.
• A support and refund system is in place to dispute unauthorized transactions and malicious behavior.

Despite these measures, the PayPal invoice scam and a data breach at the end of 2022 prove that PayPal isn’t a risk-free service. In the 2022 incident, PayPal was not hacked in the traditional sense — meaning its security measures were not breached. Hackers first accessed large swaths of user login information leaked to the dark web through previous hacks at other companies. The cybercriminals then applied this login information to PayPal en masse and gained access to around 35,000 accounts.

Known as a credential stuffing attack, this hack exploits the tendency of users to reuse credentials like usernames and passwords across multiple online services. This incident highlights the importance of using digital security software and following online safety best practices. PayPal can set up and maintain industry-standard security measures all it wants, but it can’t make up for cybersecurity no-nos like reusing login credentials. Remember that cybercriminals operate on digital payment services like PayPal, Venmo, Cash App, and Zelle to exploit such practices.

How do you know if a seller is legit on PayPal?

For starters, stick to sellers who have verified statuses. Parties with the verified status have gone through additional steps to confirm they own the financial accounts linked to their PayPal account.

While the verification process is meant to increase trust between users, it’s still possible for verified users to be scammers. You should approach every transaction cautiously and skeptically. Watch out for sellers who ask for any personal information, ask you to pay with an alternative means (with Venmo, for instance), or behave in any unusual way. Beware of deals that seem too good to be true and transactions with a sense of urgency, such as limited-time deals.

When vetting a potential seller, trust your gut and apply common sense as best you can. Scammers often try to play on your emotions, so keeping a level head is important. There's nothing wrong with walking away if something feels off about a transaction.

How to boost your cybersecurity on PayPal

It’s easy to get intimidated by the threats that lurk on services like PayPal, but knowing what you’re up against is a huge part of staying safe while using payment apps. Turn cybersecurity best practices into habits to prevent identity theft and protect your wallet.

Only deal with verified accounts

As explained above, verified accounts have confirmed with PayPal that they own the financials linked to their PayPal account. Verified account holders can still technically be scammers, so you should be cautious.

Think critically, scrutinize, and trust your instinct

Scammers are always devising new methods of defrauding people of money or sensitive information. Unfortunately, new scams usually claim many victims before they’re widely known and shared throughout the online community. Always be on your guard when dealing with anyone on PayPal, especially when receiving unsolicited communications or money requests. Never send money to a seller you don't recognize.

Never pay for transactions outside of PayPal

PayPal offers Seller and Buyer Protection for transactions that are completed on PayPal. If you pay for your transaction outside of PayPal, your transaction is no longer covered. Scammers know this and often try to convince you to pay outside of PayPal, like through another payment app. Avoid any seller who attempts this trick.

Don’t click suspicious links or attachments

Cybercriminals often hide malicious links and attachments in phishing emails, and they convince you to click them by posing as PayPal. Don’t click links or download attachments in emails, direct messages, text messages, or other means. Links and attachments may contain malware. Once on your device, the malware may enable scammers to access your private data. If any link claims to bring you to an official website or application, search for that site directly instead.

Only use official phone lines for help

Many PayPal phishing scams will suggest a bogus customer service phone line to “fix” a problem the sender has manufactured. Often, the bogus number is left in the “seller note to customer” section of an invoice. These scams have gotten so good that it’s difficult to tell if they officially come from PayPal. To be safe, ignore any phone lines listed in an invoice's “seller note to customer” section. Always go to the official PayPal website to find the customer service lines.

Never give away sensitive personal information

Avoid any party who asks for personally identifiable information like your email address, phone number, street address, or Social Security number, as well as financial data like bank or credit card information. PayPal gives both parties everything they need to successfully buy and sell without the need for additional personal details. Anyone asking for this type of information is most likely a scammer.

As with all online financial transactions, always do your due diligence to avoid marketplace scams.

Use strong, varied passwords

Best password practices can be challenging to maintain, but they are worth the trouble. Create strong passwords and never reuse them across websites or apps. Password managers can create, store, and manage passwords for you, so you don’t have to remember dozens of unique passwords.

Enable two-factor authentication (2FA)

Two-factor authentication (2FA) takes a few minutes to set up, and its extra security is well worth the time. 2FA prevents hackers from accessing your account and notifies you if someone is trying to access your account. When this happens, it’s time to change your login credentials.

Don’t pay suspicious invoices/money requests

Money request schemes involve sending mass numbers of fake invoices to PayPal users in hopes that some of them pay. If you receive a suspicious invoice, don’t pay, and be sure to report the activity to PayPal.

Report suspicious invoices/money requests

• To report the activity on a web browser:

Select the money request/invoice on your Dashboard > click Report this invoice.

Then complete the steps provided to confirm.

• To report the activity on the PayPal app:

Select Payments > select Bills > select the invoice/money request > select Report this invoice > select Report invoice.

Beware a false sense of urgency

A common tactic across many types of scams is creating a false sense of urgency to increase pressure on victims. Cybercriminals hope these tactics force otherwise level-headed users to make decisions emotionally instead of rationally. If you detect urgent messaging from a seller, proceed cautiously.

Invest in identity theft services

Identity theft can cause immeasurable damage to a person's life. Unfortunately, the more we link our lives to online systems like PayPal, the more we expose ourselves to fraud. Depending on your vulnerability level, investing in an identity theft protection service may be worthwhile. At the very least, consider these best practices for identity theft protection.

3 best identity theft protection services

What to do if someone scams you on PayPal

If you suspect you’ve been involved in a PayPal scam, the first thing you should do is change your password and update your security questions as quickly as possible. Doing so prevents hackers from gaining further entry. You will then need to report the activity to PayPal. Depending on the type of scam/unauthorized activity, you might need to take different steps.

Report unauthorized account activity or transactions

• Report on the app:

Navigate to the Resolution Center > click Report a problem > choose the payment in question and select Continue > select I want to report unauthorized activity.

Complete the instructions that follow.

• Report in a web browser:

Select Wallet > select Activity > select the payment in question > select Report a Problem > choose the reason for the report and complete the instructions that follow.

Report suspicious emails

If you receive emails you believe to be suspicious and/or phishing attempts, don’t hesitate to report them directly to PayPal. Do not copy and paste the email. Instead, forward it to phishing@paypal.com.

If you interact with the scam email, be sure to change your account password and update your security questions. Consider running a full system scan with your antivirus software to detect any malicious files.

Lock (or unlock) your PayPal Debit Card

If your PayPal Debit Card is lost or stolen, follow these steps on the PayPal app:

Tap Wallet > select your PayPal Debit Card > select Manage > tap the toggle button next to Lock Card to lock and unlock your card.

Report lost, stolen, or damaged PayPal Debit Card

• Report on the app:

Select Wallet > tap your PayPal Debit Card > select Report your card lost or stolen.

• Report in web browser:

Navigate to your dashboard and select PayPal Debit Card > select Manage Card > select Replace lost, stolen, or damaged card.

Open a dispute with a seller

You may want to open a dispute with a seller for many reasons. Maybe your items didn’t arrive as advertised or not at all, or you suspect the seller to be a scammer. Here are the steps to opening a dispute.

• Open a dispute on the app:

Navigate to Recent activity and select the transaction in question > scroll to the bottom and select Report a Problem > select the type of issue you have and include any relevant details > tap Submit.

• Open a dispute in a web browser:

Navigate to the Resolution Center and select Report a Problem > select the payment/transaction in question and click Continue > select a reason for your dispute and click Continue.

Once your dispute is open, you may communicate with the other party to resolve the issue. If you cannot resolve the issue, you can escalate the dispute to a claim. When escalating a dispute, PayPal requires that at least seven days have passed since the original payment date.

Escalating a dispute to a claim puts PayPal in charge of the investigation and the final decision of the claim. Disputes automatically close after 20 days unless they have been escalated, and closed disputes can no longer be escalated to claims.

PayPal invoice scam FAQs

Bottom line

The PayPal invoice phishing scam is an unfortunate reminder that scammers are always coming up with new and inventive ways to deceive honest people. Furthermore, corporate entities like PayPal can only do so much to keep their users safe. Be proactive in the fight against cybercriminals, Protect your sensitive data and identity by practicing cybersecurity best practices, and consider investing in identity theft protection services.

Always remember that anyone using PayPal can send another user an invoice. When an invoice is sent, PayPal sends a notification email for that invoice. Scammers have been and are still exploiting this interaction to craft fake invoices legitimately sent by PayPal’s official email address. If you receive any email containing an unwarranted invoice for transactions that never occurred, report it by forwarding the email to phishing@paypal.com.