How to Spot a PayPal Phishing Email (7 Red Flags)

"Your account has been limited." "Unusual activity detected." "Confirm your information within 24 hours." If you've ever gotten an email like that from "PayPal," you've met one of the most copied phishing templates on the internet.

Real PayPal emails exist — but scammers clone them almost perfectly, and the newest fakes don't have the clumsy typos people were taught to watch for. This guide covers the seven red flags that still give a fake away, the one safe way to check your account, and what to do if you already clicked.

Quick version: Check the full sender address, never click links inside the email, and verify by typing paypal.com yourself. PayPal will never ask for your password, full card number, or Social Security number by email.

The 7 red flags in a fake PayPal email

You rarely need all seven. One clear red flag is enough to stop and verify.

1. The sender address doesn't actually match PayPal

The display name can say anything. What matters is the part after the @. Real PayPal mail comes from domains like paypal.com — not paypa1.com, paypal-secure.net, or service-paypal.com.

Check: Tap or hover on the sender name to reveal the real address.

2. A link points somewhere other than paypal.com

Scammers hide a fake destination behind official-looking button text. Before clicking, hover (or long-press on mobile) any "Log in" or "Verify" link and read where it actually goes.

Check: If the link isn't on paypal.com, treat it as a trap.

3. It manufactures urgency

"Act within 24 hours or your account will be suspended." Urgency is the scammer's favorite lever — it pushes you to act before you think. Real account notices give you time and never threaten instant closure by email.

Check: Any hard deadline attached to a link is a warning sign.

4. It asks you to "confirm" sensitive details

PayPal will never ask you to confirm your full password, card number, or SSN by email. A message that does is fraudulent, full stop.

Check: Sensitive info requested by email = scam.

5. Generic greetings

"Dear Customer" or "Dear User" instead of your name is a tell. A company that already has your account usually addresses you by name.

Check: No name when they should have one? Be suspicious.

6. Small spelling and grammar mistakes

Odd phrasing, missing words, or strange capitalization slip through in rushed scam emails. This still catches a lot of fakes — but see the section below on why it's no longer enough on its own.

Check: Awkward English is a clue, not proof.

7. Unexpected attachments

PayPal doesn't send invoices or "account documents" as files you need to open. An unexpected PDF or HTML attachment is a red flag.

Check: Don't open attachments from an email you didn't expect.

Real vs. fake at a glance

| Signal | Real PayPal | Likely phishing | | --- | --- | --- | | Sender domain | @paypal.com | Lookalike or unrelated domain | | Greeting | Your name | "Dear Customer" | | Links | Go to paypal.com | Go elsewhere | | Asks for | Nothing sensitive by email | Password, card, or code | | Tone | Informational | Urgent, threatening |

Anatomy of a fake PayPal email

Here's a typical one. Most of the flags above show up in a single short message:

From: PayPal Service <support@paypa1-secure.com>
Subject: [Action Required] Your account has been limited

Dear Customer,

We noticed unusual activity on your account. To restore full
access, please confirm your information within 24 hours or your
account will be permanently suspended.

      [ Confirm My Information ]

Thank you,
The PayPal Team

Five tells in six lines:

• The domain — paypa1-secure.com uses a number "1" for the "l" and tacks on -secure. Not PayPal.
• "Dear Customer" — no name.
• "within 24 hours" — a manufactured deadline.
• "confirm your information" — PayPal never asks for this by email.
• The button — official-looking text hiding a link that doesn't go to paypal.com.

None of these depend on a typo. That's the point.

The one safe way to check your PayPal account

Never use the links in a suspicious email. Instead:

1. Open the PayPal app, or type paypal.com into your browser yourself.
2. Log in and check your account directly.
3. If there's a real issue, it will be waiting for you there.

This single habit defeats almost every phishing email, because the scam only works if you click their link instead of going to the real site.

Why "just look for bad grammar" stopped working

For years the standard advice was: scam emails have typos. That advice is now half-broken. Scammers use the same writing tools everyone else does, so plenty of phishing emails are clean, well-formatted, and convincing.

The reliable signals aren't about writing quality anymore — they're structural: who actually sent it, where the links go, and whether anyone is pressuring you to act fast. Judge the email by those, not by whether it "looks professional."

If you already clicked or entered details

Don't panic — fast action limits the damage. Work top to bottom:

1. Stop entering anything. If a fake login page is open, close it.
2. Change your PayPal password from the real site (type paypal.com yourself), then sign out of all devices in your settings.
3. Turn on two-factor authentication so a stolen password alone isn't enough.
4. If you entered card or bank details, call the number on the back of your card and ask them to watch for fraud or reissue the card.
5. Check for changes you didn't make — a new email address, phone number, or linked bank account in your PayPal profile.
6. Report it. Forward the original email to spoof@paypal.com, then delete it.

The sooner you change the password, the less a stolen one is worth.

Get a second opinion in minutes

When an email passes the eye test but still feels off, the safest move is to have something check it for you before you click. That's what FraudRoom is for: forward the suspicious email to check@fraudroom.com and you get back a plain-English risk level — and the safest next step — usually within minutes. No jargon, no judgment.

FAQ

Does PayPal really email you about a "limited" account?

Yes, PayPal does send account notices — but they won't ask you to confirm sensitive details by email or pressure you with a countdown. When in doubt, ignore the email and log in directly at paypal.com.

What does a real PayPal email address look like?

Legitimate PayPal mail comes from domains ending in @paypal.com. Lookalikes such as paypa1.com or paypal-secure.net are not PayPal.

I clicked a link in a PayPal phishing email — what now?

Don't enter anything if a page loads. If you already typed your password, change it immediately and turn on two-factor authentication. If you entered card details, call your bank using the number on the back of your card. The full step-by-step is in the recovery section above.

How do I report a PayPal phishing email?

Forward the suspicious email to spoof@paypal.com, then delete it. Reporting helps PayPal shut down the fake domains faster — and doesn't put you at any risk, since forwarding doesn't click their links.

Key takeaways

• Judge the email by sender, links, and pressure — not by how polished it looks.
• PayPal never asks for passwords, full card numbers, or codes by email.
• Verify by typing paypal.com yourself; never trust the email's links.
• If you're unsure, get a second opinion before you click.

Related reading

• Is this text message a scam? How to tell in 60 seconds
• How to protect elderly parents from online scams