Is This PayPal Email Real?

How to Spot a Real PayPal Email vs a Scam

PayPal is one of the top five most-impersonated brands in UK phishing. The usual mix of fake receipts, fake dispute notifications, and fake account-locked alerts targets both senders and receivers of PayPal payments. The good news: PayPal's legitimate communications follow a small number of strict patterns, so verification is fast.

Real PayPal email rules

• Sender domain. Real PayPal emails come from @paypal.com, @paypal.co.uk, or a few specific paypal-owned subdomains (e.g. service@paypal.com, service@intl.paypal.com). Anything else is fake.
• Greeting. Real PayPal addresses you by your full registered name, not "Dear Customer" or "Dear PayPal User".
• Account state. Real PayPal communications about your account always reflect what's in your PayPal account when you log in via paypal.com directly. Fake emails reference activity that doesn't appear in your account.
• Links. Real PayPal links go to paypal.com/uk/... (or a few country variants). They never go to paypal-secure.help, paypal.id-verify.com, or any third-party domain.

The Five Most-Common PayPal Scam Patterns

1. The fake "you have received a payment" email

Targets sellers. Email claims a buyer has paid for an item; instructs the seller to ship before the payment shows in their PayPal account, "because the funds are temporarily on hold pending verification". The email looks like a real PayPal payment confirmation but the payment doesn't exist. The seller ships; the buyer disappears with the goods.

Defence: never ship until the payment is fully cleared and visible inside your real PayPal account at paypal.com. PayPal does not "hold" payments pending email verification.

2. The fake dispute / chargeback notification

Targets sellers. Email claims a buyer has filed a dispute and you must "respond within 24 hours or lose the case". Includes a link to a fake "dispute resolution" page that captures PayPal credentials. The fake login page is often near-identical to PayPal's real one.

Defence: log in to PayPal directly by typing paypal.com. Real disputes appear inside your Resolution Centre. If nothing's there, the email is fake.

3. The "account limited / suspended" email

Targets everyone. Email warns the account has been limited due to "suspicious activity" and demands you click a link to verify identity within 48 hours. The link goes to a credential-harvesting page asking for your PayPal password, full card details, address, and sometimes a selfie of an ID document.

Defence: log in to PayPal directly. Real account limitations are always visible inside your account with a clear remediation flow. They're also rare and usually triggered by something specific (a high-value international transfer, an unusual login location).

4. The fake invoice from a stranger

An "invoice" arrives claiming you owe a payment for a service or subscription you didn't buy — often "£299 for crypto trading software" or "£180 for antivirus renewal". Recipient panics, calls the support number on the invoice, and is walked through "cancelling the charge" by giving the scammer remote-desktop access or transferring money out.

Defence: if you didn't buy the thing, you don't owe the money. Do not call any number on the invoice. Log in to PayPal and check whether the invoice exists; if it does, you can decline it inside the platform without contacting the sender.

5. The "refund accidentally overpaid" scam

Buyer claims they accidentally paid you twice and asks you to refund the difference. The original payment is later reversed by chargeback; you're out the goods, the original payment, and the refund.

Defence: never refund based on the buyer's claim. Refund only what your PayPal balance actually shows you received, and only after the original payment has fully cleared (typically 24-72 hours for the chargeback window to begin closing).

What to Do With a Suspected PayPal Scam Email

1. Don't click any link in the email. Don't call any number in it. Don't reply.
2. Forward the email to spoof@paypal.com — PayPal's dedicated abuse address. Their security team uses these reports to take down impersonating infrastructure.
3. Forward to report@phishing.gov.uk as well — the NCSC's Suspicious Email Reporting Service. Multiple reports trigger faster takedowns.
4. Verify what's actually in your PayPal account by logging in directly at paypal.com.
5. Delete the email after forwarding.

If You Clicked the Link or Submitted Credentials

1. Change your PayPal password immediately by logging in directly. Use a unique password — if the same password is on other accounts, change those too.
2. Enable two-step verification on PayPal (Settings → Security → 2-step verification). Use an authenticator app rather than SMS where possible.
3. Check Recent Activity in PayPal for any transactions you don't recognise. PayPal's buyer/seller protection covers many unauthorised transactions if reported promptly.
4. Check the cards and bank accounts linked to PayPal via your bank's app. Call your bank's fraud line if you spot any unauthorised charges.
5. File a report at reportfraud.police.uk if money was lost. Save the case reference number.
6. For UK losses, the PSR APP-scam reimbursement scheme may apply if you sent a Faster Payments transfer under deception. See our UK Recovery Guide for the full process.

Additional Resources

• Report Fraud - Report scams to UK authorities
• NCSC Phishing Advice - UK Cyber Security Centre
• ScamWise - Government scam awareness
• Which? Scams - Consumer scam alerts

Protect Your Data with VPN

Use NordVPN to encrypt your connection when accessing sensitive accounts online, protecting your data from interception.

Affiliate disclosure: as a NordVPN partner, ScamSupport may earn a commission if you sign up via this link — this doesn't change our recommendation or the price you pay. Full affiliate policy →