Is the PayPal DocuSign Email a Scam? How the Fake Invoice Trick Works

Short answer: an email that looks like a real PayPal invoice or a DocuSign document — often charging you $300–$900 for "Bitcoin," "crypto," or some service you never bought, with a phone number to "dispute" it — is a scam. The trick is that the email is frequently sent through PayPal's or DocuSign's real systems, so it passes every spam check and looks completely authentic. The charge isn't real. The phone number is the trap.

This is a clever evolution of the fake-invoice scam: instead of faking a brand, the scammer abuses the genuine platform to send you a real-looking request, then relies on a "support" number to do the damage.

Quick check: Don't call the phone number in the invoice or document. You weren't charged anything. Log in to PayPal yourself (type the address; don't use the email's link) and check your activity — the charge won't be there.

In this guide

• How the PayPal and DocuSign invoice scam works
• Why it gets past spam filters
• The crypto and Bitcoin angle
• The red flags
• What a fake PayPal or DocuSign invoice looks like
• What to do instead
• If you already called or paid
• FAQ

How the PayPal and DocuSign invoice scam works

The scam runs on a phone call, not a link — which is exactly why it slips past people trained to "never click."

1. The bait. You get a genuine-looking PayPal invoice or a DocuSign "agreement" for a charge you didn't authorize — commonly a crypto purchase, an antivirus renewal, or a vague "service fee" of a few hundred dollars.
2. The hook. The email/document includes a phone number to "cancel," "dispute," or "report unauthorized activity." A note often warns the charge will process automatically unless you call.
3. The call. You call, alarmed, and a polished "support agent" offers to "reverse" the charge. To do that, they ask to:
   • remote into your computer (via a "support" app) to "process the refund,"
   • get you to log in to your bank while they watch,
   • claim they "accidentally refunded too much" and pressure you to send the difference back by gift card, wire, or crypto, or
   • extract your PayPal login or a verification code.
4. The loss. Whatever they collect — remote access, a "refund correction" payment, your login — is the real goal. The original invoice was never a real charge.

Why it gets past spam filters

The reason these feel so convincing: many are sent through the real PayPal invoicing system or real DocuSign envelopes. The scammer creates a legitimate account on the platform and sends you an invoice or document. So:

• The email genuinely comes from PayPal's or DocuSign's real servers and domains.
• It passes SPF/DKIM and lands in your inbox, not spam.
• The links go to the real platform — there's no lookalike domain to catch.

The only fake parts are the claim (you owe nothing) and the phone number (which goes to the scammer, not PayPal or DocuSign). That's why the usual "check the sender domain" advice isn't enough here — you have to recognize the shape of the scam.

The crypto and Bitcoin angle

A very common version invoices you for a Bitcoin or crypto purchase — e.g. "PayPal: You sent $649.99 for 0.0xx BTC." Crypto is chosen for two reasons: the amounts feel plausible for a single purchase, and the irreversibility makes the panic ("I need to cancel this NOW") more intense. The "agent" then steers any "refund" toward crypto or gift cards — which, unlike a card charge, can't be clawed back once sent. If an invoice for crypto you never bought is pushing you to call a number, that's the scam in its most common form.

The red flags

• A charge you don't recognize — crypto, antivirus, a "service fee" — for a few hundred dollars.
• A phone number to "dispute" or "cancel." Real disputes happen inside your PayPal account, not via a number in an invoice.
• Pressure — "charged automatically in 24 hours," "call immediately."
• A request to download remote-access software or to "verify" by logging in while on the call.
• Any "we refunded too much, send it back" request — always a scam.
• Payment or "refund" routed to gift cards, wire, or crypto.

What a fake PayPal or DocuSign invoice looks like

From: service@paypal.com  (real PayPal invoicing)
Subject: Invoice from Crypto Exchange Pro (Invoice #INV-90432)

You sent a payment of $649.99 USD for a Bitcoin purchase.

If you did not authorize this transaction, contact our billing
support immediately to cancel within 24 hours:

   Billing Support: +1 (8XX) ...

This charge will be processed automatically.

What makes it dangerous: the email really is from PayPal's system, so the sender and links look perfect. The deception is the unauthorized-charge story and the phone number — call it and a "support agent," not PayPal, picks up.

If an invoice or DocuSign document like this lands and your first instinct is to call the number to stop the charge, pause — that instinct is the trap. Forward the email to FraudRoom first and get a clear read on whether there's any real charge before you dial a number or log in anywhere.

What to do instead

1. Don't call the number in the invoice or document.
2. Log in to PayPal yourself — type paypal.com (or open the app), don't use the email's link — and check your activity and any invoices. A real charge would be there; this one won't be.
3. For DocuSign, verify documents by logging in to your DocuSign account directly, not via the email, and check the legitimacy code if provided. Don't "review" a document you weren't expecting.
4. If there's a real invoice you don't recognize, decline or report it from inside your PayPal account, and never call a number printed in it.
5. Report the phishing. Forward fake PayPal invoices to spoof@paypal.com, report DocuSign abuse to DocuSign's official "report abuse" channel from their website, then delete the email.

If you already called or paid

1. If you let them remote into your device, disconnect from the internet, run a security scan, and change your important passwords from a different, trusted device. Assume they saw whatever was on screen.
2. If you sent a "refund correction" by gift card, wire, or crypto, contact that channel immediately to try to stop it — speed is everything.
3. If you shared your PayPal login, change the password from the real site and turn on two-factor authentication; review linked cards and recent activity.
4. If you shared bank or card details, call your bank using the number on your card and report fraud.
5. Report it to the FTC at reportfraud.ftc.gov, and to the FBI at ic3.gov for larger losses.

For the full recovery walkthrough, see what to do if you clicked a phishing link.

FAQ

Why does the PayPal invoice look completely real?

Because it often is — sent through PayPal's genuine invoicing system by a scammer who made an account. The email passes spam checks and the links go to real PayPal. Only the charge claim and the "support" phone number are fake. That's why you verify by logging in yourself, not by trusting how official it looks.

Should I call the number on a suspicious PayPal or DocuSign email?

No. That's the core of the scam. Real disputes are handled inside your PayPal account, and real DocuSign documents are verified by logging in to DocuSign directly. The number in the email connects to the scammer, who will try to remote into your device or extract a payment.

I got a PayPal invoice for Bitcoin I never bought — is it a scam?

Almost certainly. Fake crypto/Bitcoin invoices are one of the most common versions. Don't call the number. Log in to PayPal yourself to confirm there's no real charge, then report the invoice to spoof@paypal.com and delete it.

I let a "PayPal agent" access my computer — what do I do?

Disconnect from the internet, run a malware scan, and change your key passwords from a different trusted device. Call your bank if you logged into it during the call, watch your accounts closely, and report it to the FTC. Treat anything that was on your screen as compromised.

Key takeaways

• The email is often genuinely from PayPal or DocuSign — the charge and phone number are the fakes.
• "Check the sender domain" isn't enough here; recognize the call-a-number invoice shape.
• Never call the number — verify by logging in to PayPal or DocuSign yourself.
• Crypto/Bitcoin invoices are the most common version because the loss can't be reversed.
• Never grant remote access or send a "refund correction" — report it to spoof@paypal.com instead.

Related reading

• How to spot a PayPal phishing email (7 red flags)
• Is this Geek Squad or Norton renewal email a scam?
• What to do if you clicked a phishing link