What Is the PayPal Invoice Scam and How To Avoid It

Learn the ins and outs of the PayPal invoice scam, how to stay safe when using PayPal, and what to do if you think you’ve been scammed.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

While PayPal makes online shopping convenient, the popular payment system is ripe with bad actors and scammers. These cybercriminals abuse PayPal's invoicing feature to trick victims into giving up money, sensitive information, or even remote access to their devices.

Learn how to identify the PayPal invoice scam, what to do if you’ve been scammed, and how identity theft protection services can help safeguard your digital data.

In this article
What is the PayPal invoice scam?
Is PayPal safe?
Boost your cybersecurity
What to do if someone scams you on PayPal
FAQs
Bottom line

What is the PayPal invoice scam?

The PayPal invoice scam is a basic money request scam combined with clever phishing tactics. Cybercriminals use the payment system’s invoicing tool to send victims fake invoices for large purchases. When the invoices are sent, PayPal sends an official notification email to the recipient.

These official emails make the otherwise fake invoices appear legitimate from the victim’s perspective. The scammers include an official-looking message in the “seller note to customer” section of the fake invoice, encouraging the victim to call a fake customer service line to prevent the charges from being processed.

If the victim calls this line, the scammers attempt to fool the victim into paying the invoice or giving up personally identifiable information (PII), including financial data, such as PayPal account, credit card, or bank information. 

In some cases, the criminals ask victims to install software they claim will help with the recovery process. Instead, this software records the victim’s keystrokes or gives the criminals remote access to the victim’s computer.

This PayPal scam effectively takes advantage of the fact that anyone can send another PayPal user an invoice at any time. It also benefits from PayPal’s automatic email notification system to make the request seem official.

Is PayPal safe to use?

PayPal takes several measures to protect its user base:

  • PayPal never shares complete financial information with sellers.
  • PayPal monitors transactions 24/7.
  • PayPal implements encryption technology that protects sensitive user information from being viewed if a system breach occurs.
  • PayPal Purchase Protection covers sales and purchases made on PayPal.
  • A support and refund system is in place to dispute unauthorized transactions and malicious behavior.

Despite these measures, the PayPal invoice scam and a data breach at the end of 2022 prove that PayPal isn’t a risk-free service.[1] In the 2022 incident, PayPal was not hacked in the traditional sense — meaning its security measures were not breached. 

Hackers first accessed large swaths of user login information leaked to the dark web through previous hacks at other companies. The cybercriminals then applied this login information to PayPal en masse and gained access to around 35,000 accounts.

Known as a credential stuffing attack, this hack exploits the tendency of users to reuse credentials like usernames and passwords across multiple online services. This incident highlights the importance of using digital security software and following online safety best practices

PayPal can set up and maintain industry-standard security measures all it wants, but it can’t make up for cybersecurity no-nos like reusing login credentials. Remember that cybercriminals operate on digital payment services like PayPal, Venmo, Cash App, and Zelle to exploit such practices.

How do you know if a seller is legit on PayPal?

For starters, stick to sellers who have verified statuses. Parties with the verified status have gone through additional steps to confirm they own the financial accounts linked to their PayPal account.

While the verification process is meant to increase trust between users, it’s still possible for verified users to be scammers. You should approach every transaction cautiously and skeptically. Watch out for sellers who ask for any personal information, ask you to pay with an alternative means (with Venmo, for instance), or behave in any unusual way. 

Beware of deals that seem too good to be true and transactions with a sense of urgency, such as limited-time deals.

When vetting a potential seller, trust your gut and apply common sense as best you can. Scammers often try to play on your emotions, so keeping a level head is important. There's nothing wrong with walking away if something feels off about a transaction.

How to boost your cybersecurity on PayPal

It’s easy to get intimidated by the threats that lurk on services like PayPal, but knowing what you’re up against is a huge part of staying safe while using payment apps. Turn cybersecurity best practices into habits to prevent identity theft and protect your wallet.

Only deal with verified accounts

As explained above, verified accounts have confirmed with PayPal that they own the financials linked to their PayPal account. Verified account holders can still technically be scammers, so you should be cautious.

Scrutinize and trust your instinct

Scammers are always devising new methods of defrauding people of money or sensitive information. Unfortunately, new scams usually claim many victims before they’re widely known and shared throughout the online community. 

Always be on your guard when dealing with anyone on PayPal, especially when receiving unsolicited communications or money requests. Never send money to a seller you don't recognize.

Never pay for transactions outside of PayPal

PayPal offers Seller and Buyer Protection for transactions that are completed on PayPal. If you pay for your transaction outside of PayPal, your transaction is no longer covered. Scammers know this and often try to convince you to pay outside of PayPal, like through another payment app. 

Avoid any seller who attempts this trick.

Don’t click suspicious links or attachments

Cybercriminals often hide malicious links and attachments in phishing emails, and they convince you to click them by posing as PayPal. Don’t click links or download attachments in emails, direct messages, text messages, or other means. 

Links and attachments may contain malware. Once on your device, the malware may enable scammers to access your private data. If any link claims to bring you to an official website or application, search for that site directly instead.

Automatically scan every link you click for malicious intent

Guardio is a unique browser extension that can protect you from phishing links, block dangerous emails and texts, and more. Grab Guardio to keep your online interactions safe.

Robust Phishing Protection Backed by $1 Million in ID Theft Insurance
Learn More
On Guardio's website
Antivirus Software
Guardio
7-day free trial for paid plan
  • Easy-to-use online security tool that cleans up your browser, removes malicious extensions, and checks for privacy violations
  • Blocks harmful emails, texts, and webpages
  • Stops invasive notifications and monitors data breaches for your information

Only use official phone lines for help

Many PayPal phishing scams will suggest a bogus customer service phone line to “fix” a problem the sender has manufactured. Often, the bogus number is left in the “seller note to customer” section of an invoice. These scams have gotten so good that it’s difficult to tell if they officially come from PayPal. 

To be safe, ignore any phone lines listed in an invoice's “seller note to customer” section. Always go to the official PayPal website to find the customer service lines.

Never give away sensitive personal information

Avoid any party who asks for personally identifiable information like your email address, phone number, street address, or Social Security number, as well as financial data like bank or credit card information. PayPal gives both parties everything they need to successfully buy and sell without the need for additional personal details. Anyone asking for this type of information is most likely a scammer.

As with all online financial transactions, always do your due diligence to avoid marketplace scams.

Use strong, varied passwords

Best password practices can be challenging to maintain, but they are worth the trouble. Create strong passwords and never reuse them across websites or apps. Password managers can create, store, and manage passwords for you, so you don’t have to remember dozens of unique passwords.

Two-factor authentication (2FA)

Two-factor authentication (2FA) takes a few minutes to set up, and its extra security is well worth the time. 2FA prevents hackers from accessing your account and notifies you if someone is trying to access your account. When this happens, it’s time to change your login credentials.

Suspicious invoices/money requests

Money request schemes involve sending mass numbers of fake invoices to PayPal users in hopes that some of them pay. If you receive a suspicious invoice, don’t pay, and be sure to report the activity to PayPal.

To report the activity on a web browser:

  1. Select the money request/invoice on your Dashboard > click Report this invoice.
  2. Then complete the steps provided to confirm.

To report the activity on the PayPal app:

  1. Select Payments > Bills.
  2. Select the invoice/money request > Report this invoiceReport invoice.

Beware a false sense of urgency

A common tactic across many types of scams is creating a false sense of urgency to increase pressure on victims. Cybercriminals hope these tactics force otherwise level-headed users to make decisions emotionally instead of rationally. If you detect urgent messaging from a seller, proceed cautiously.

Invest in identity theft services

Identity theft can cause immeasurable damage to a person's life. Unfortunately, the more we link our lives to online systems like PayPal, the more we expose ourselves to fraud. Depending on your vulnerability level, investing in an identity theft protection service may be worthwhile. At the very least, consider these best practices for identity theft protection.

3 best identity theft protection services

Service
Individual monthly price Starts at $7.50/mo (billed annually) for first year Starts at $9.00/mo (billed annually) Starts at $10.00/mo
Family monthly price Starts at $18.49/mo (billed annually) for first year Starts at $17.00/mo (billed annually)

-

ID theft insurance Up to $3 million Up to $1 million per adult Up to $2 million
Credit monitoring
3-bureau credit reports
Details Get LifeLock
Read Our LifeLock Review
Get Aura
Read Our Aura Review
Get Omniwatch
Read Our Omniwatch Review

What to do if someone scams you on PayPal

If you suspect you’ve been involved in a PayPal scam, the first thing you should do is change your password and update your security questions as quickly as possible. Doing so prevents hackers from gaining further entry. You will then need to report the activity to PayPal. Depending on the type of scam/unauthorized activity, you might need to take different steps.

Report unauthorized account activity or transactions

Report on the app:

  1. Navigate to the Resolution Center.
  2. Click Report a problem.
  3. Choose the payment in question and select Continue.
  4. Select I want to report unauthorized activity.
  5. Complete the instructions that follow.

Report in a web browser:

  1. Select WalletActivity 
  2. Select the payment in question 
  3. Select Report a Problem 
  4. Choose the reason for the report and complete the instructions that follow.

Report suspicious emails

If you receive emails you believe to be suspicious and/or phishing attempts, don’t hesitate to report them directly to PayPal. Do not copy and paste the email. Instead, forward it to phishing@paypal.com.

If you interact with the scam email, be sure to change your account password and update your security questions. Consider running a full system scan with your antivirus software to detect any malicious files.

Lock (or unlock) your PayPal Debit Card

If your PayPal Debit Card is lost or stolen, follow these steps on the PayPal app:

  1. Tap Wallet.
  2. Select your PayPal Debit Card.
  3. Select Manage.
  4. Tap the toggle button next to Lock Card to lock and unlock your card.

Report lost, stolen, or damaged PayPal Debit Card

Report on the app:

  1. Select Wallet.
  2. Tap your PayPal Debit Card.
  3. Select Report your card lost or stolen.

Report in web browser:

  1. Navigate to your dashboard and select PayPal Debit Card.
  2. Select Manage Card > Replace lost, stolen, or damaged card.

Open a dispute with a seller

You may want to open a dispute with a seller for many reasons. Maybe your items didn’t arrive as advertised or not at all, or you suspect the seller to be a scammer. Here are the steps to opening a dispute.

Open a dispute on the app:

  1. Navigate to Recent activity.
  2. Select the transaction in question.
  3. Scroll to the bottom and select Report a Problem.
  4. Select the type of issue you have and include any relevant details. 
  5. Tap Submit.

Open a dispute in a web browser:

  1. Navigate to the Resolution Center.
  2. Select Report a Problem.
  3. Select the payment/transaction in question. 
  4. Click Continue.
  5. Select a reason for your dispute and click Continue.

Once your dispute is open, you may communicate with the other party to resolve the issue. If you cannot resolve the issue, you can escalate the dispute to a claim. When escalating a dispute, PayPal requires that at least seven days have passed since the original payment date.

Escalating a dispute to a claim puts PayPal in charge of the investigation and the final decision of the claim. Disputes automatically close after 20 days unless they have been escalated, and closed disputes can no longer be escalated to claims.

FAQs


+

How can you tell if a PayPal invoice is real?

Instead of interacting with invoices sent to you via email (which could be a phishing email), log into your PayPal account and check your messages for the invoice in question. Remember that anyone can send someone else an invoice, so just because you’ve received an invoice doesn’t mean you have to pay it.


+

Why did I get a PayPal invoice for something I didn’t order?

Scammers send PayPal users fake invoices for transactions that never occurred in hopes that they pay the fraudulent invoice without checking their shopping history. These scams are known as money requests or invoice scams and are sent out in high volumes. Ignore these invoices and report them to PayPal.


+

Does PayPal send invoices via email?

Yes, PayPal does send invoices from other parties via email. Be sure to scrutinize the emails, even if they come from PayPal officially. 

Never call any customer service lines that are included in the “seller note to customer” section of an invoice. Scammers use faux customer service as phishing tactics to learn your personal details and financial data.

But remember, PayPal never requests money from you. You should only ever receive invoices from stores or PayPal users you have previously shopped with. If you receive an invoice claiming to come from PayPal, it’s a scam or phishing attempt.


+

What do I do if I receive a fake PayPal invoice?

Don’t click links in the invoice email or call any customer service phone numbers that may be included. Definitely do not pay the invoice. Instead, report the invoice to PayPal. Log into your PayPal account via the website or app to report the fraudulent activity.


+

What are other common PayPal scams?

Other common PayPal scams include overpayment scams, shipping address scams, advance payment scams, smishing scams, and alternate payment methods scams.


+

Which is safer: Venmo, Cash App, Zelle, or PayPal?

Venmo, Cash App, Zelle, and PayPal are equally safe. However, only PayPal and Venmo offer fraud protection. 

Cash App is not FDIC insured, so it doesn't guarantee refunds in the event of fraud, and Zelle only issues refunds for scam claims on a case-by-case basis.

Bottom line

The PayPal invoice phishing scam is an unfortunate reminder that scammers are always coming up with new and inventive ways to deceive honest people. Furthermore, corporate entities like PayPal can only do so much to keep their users safe. 

Be proactive in the fight against cybercriminals. Protect your sensitive data and identity by practicing cybersecurity best practices, and consider investing in identity theft protection services.

4.9
Editorial Rating
Learn More
On Aura Identity Theft's website
Identity Protection
Aura Identity Theft
Best Sale of the Year: Up to 78% Off
  • #1 rated ID theft protection service with a full suite of monitoring tools
  • Includes up to $1 million in ID theft insurance for up to five adults
  • Protect your children with robust parental controls and gaming alerts

Author Details
Juliana Kenny is a seasoned writer with over 14 years of experience writing for cybersecurity topics. Holding a B.A. in both English and French, her work explores the convergence of security and technology. She specializes in endpoint security, cloud security, and networking technologies like secure access service edge (SASE).

Citations

[1] The PayPal Breach – Who Was Affected and How You Can Protect Yourself