PayPal Users Warned of Sophisticated Fake Invoice Scam
Just days after PayPal announced a groundbreaking partnership with OpenAI to integrate payments into the ChatGPT platform by 2026, the fintech giant has become the target of a widespread fake invoice attack.
According to a Forbes report citing cybersecurity experts from KnowBe4, cybercriminals are exploiting a Telephone-Oriented Attack Delivery (TOAD) method to trick PayPal users with fraudulent invoices sent from legitimate-looking email accounts.
How the PayPal Fake Invoice Scam Works
The scam begins when users receive an email appearing to come from a real PayPal address. The email contains an invoice for products or services the recipient never ordered, often with an alarming amount and a phone number to call for dispute resolution.
Security experts warn that this phone number connects users not to PayPal, but to fraudsters who attempt to extract sensitive details such as credit card numbers, PayPal login credentials, or even direct payments.
“You receive an email from a real PayPal email address which contains an invoice for a large purchase you did not make, and a phone number for you to call if you want to dispute the charge,” warned analysts at KnowBe4. “The email is real, but the invoice is fake.”
TOAD Attacks Use Fear and Urgency to Deceive Victims
Known as a Telephone-Oriented Attack Delivery (TOAD) threat, this cyberattack technique leverages social engineering, using fear of financial loss or urgency to push victims into acting quickly.
Typically, these emails include:
- A PDF invoice or money request attachment
- A blank message body (another red flag)
- A fake customer service number
Reports indicate the campaign has been ongoing for over a week, targeting PayPal users globally.
Experts Warn Users to Stay Vigilant
What makes this attack especially concerning is that emails originate from genuine PayPal accounts, giving them an added layer of legitimacy. The invoices, however, are fabricated and part of a larger phishing campaign.
“The email you receive is real, but the invoice is not,” KnowBe4 explained. “If you call the phone number, you’ll reach a scammer, not PayPal’s support team.”
Cybersecurity experts recommend that users:
- Avoid calling numbers listed in suspicious emails
- Log in directly to their PayPal account to verify activity
- Report fake invoices immediately via PayPal’s official help centre
PayPal Responds Amid AI Expansion Plans
This security alert comes shortly after PayPal’s collaboration with OpenAI, which aims to enable seamless payments and commerce within ChatGPT by 2026. The company has yet to release an official statement on the incident, but the timing highlights the growing risks facing fintech platforms as they expand into AI-driven ecosystems.
Conclusion
The fake PayPal invoice scam underscores the evolving sophistication of cybercriminals exploiting legitimate digital platforms. As PayPal continues to innovate with AI and cloud-based payment solutions, experts urge users to remain cautious, verify all communications, and prioritise cybersecurity awareness to avoid falling victim to scams.
