Email & Phishing Scamsmedium

The Fake PayPal "Your Account Is Limited" Email

A market trader received a convincing PayPal email warning his account was limited — entering his details on the fake site led to his PayPal balance and linked card being drained.

PayPal (impersonated)·2022·2 min read

Attack Chain

  1. 1
    Convincing PayPal email sent with fake link
  2. 2
    Victim logs into fake site, credentials captured
  3. 3
    Real-time OTP used to access real PayPal
  4. 4
    Balance and linked card drained simultaneously

Background

PayPal is one of the most commonly impersonated services in phishing attacks. For small traders who rely on it for income, a message about account limitations creates immediate anxiety — exactly what scammers exploit.

The Attack

The email was professionally designed, used official PayPal branding, and included the correct PayPal sender name. The linked URL appeared to contain "paypal" but was actually on a different domain. The fake site asked him to verify his identity by entering his PayPal email, password, then full card details and a mobile verification code he received — which was actually a real PayPal login MFA code that the scammers were using in real time to access his account while he was on the fake site.

Response

He noticed the logout from the real PayPal app on his phone within minutes and immediately called PayPal. His account was frozen within the hour. PayPal's fraud team reviewed the case.

Outcome

PayPal reimbursed £1,400 that had been transferred before the account was frozen. The linked card was used for £340 before the bank cancelled it. His total loss was approximately £340 from the card — PayPal's buyer protection worked as intended once the account was frozen.

Key Takeaways

  1. Check the actual URL in your browser's address bar when asked to log into PayPal or any payment service — genuine PayPal is always paypal.com
  2. Go directly to PayPal by typing paypal.com — never follow links in emails, even convincing ones
  3. If you receive a "one-time code" you didn't request, it means someone is attempting to log into your account right now — do not enter it anywhere
  4. Turn on PayPal security alerts in your account settings so you get instant notification of any login or transaction
  5. A real-time phishing attack that uses your own OTP (called a "reverse proxy phish") can bypass SMS two-factor authentication — an authenticator app is more secure
PayPal phishingemail scamOTP theftreverse proxy phishpayment fraud

More in Email & Phishing Scams

2022high

The Fake HMRC Tax Refund Email

2 min readEmail & Phishing Scams
2021medium

The Royal Mail Missed Parcel Text Scam

2 min readEmail & Phishing Scams
2022high

The Pharmacy Email Breach

2 min readEmail & Phishing Scams