How it works Detection Roadmap Pricing Blog Header Analyzer Phishing Quiz Install free
Security guide

Is that PayPal email real? How to spot a fake PayPal email

“Your account has been limited.” “You sent a payment of £419.99.” PayPal is one of the most impersonated brands in phishing — so if an email has your stomach dropping, here’s exactly how to tell a real PayPal message from a fake.

Published 3 July 2026 · ~7 min read · By the Phixo team

A message lands claiming your PayPal account is “limited,” that someone logged in from a new device, or that you just sent hundreds of pounds to a stranger. Your heart rate jumps and your finger hovers over the button. That reaction is exactly what the scammer is counting on.

The good news: real PayPal emails follow a few consistent rules, and fakes almost always break at least one of them. Here’s how to check in under a minute.

The quick answer

A PayPal email is very likely fake if any of these are true: it greets you as “Dear Customer” instead of your name, it comes from an address that doesn’t end in @paypal.com, it pushes a countdown or threat, or it asks you to “confirm” your password or card details through a link. When in doubt, don’t use anything in the email — open a fresh browser tab, type paypal.com yourself, and log in there. If there’s a genuine problem, it will show up in your account.

Phixo flagging a fake PayPal security alert in Gmail: Critical Risk, threat score 100/100, domain spoofing detected
This is what a catch looks like: a fake “PayPal Security Alert” opened in Gmail, flagged by Phixo as Critical Risk (100/100) with the spoofed sender domain and pressure tactics called out. Simulated phishing email in a demo inbox.

What a real PayPal email does

Knowing the genuine pattern makes the fakes obvious:

7 signs of a fake PayPal email

1. The sender domain isn’t paypal.com

The display name is trivial to fake — anyone can label an email “PayPal Service.” What’s harder to fake is the address behind it. Tap or click the sender name to reveal the full address and look at the part after the @.

What you see vs. what’s really there From: PayPal Service
<service@paypal-account-security.com>

Real PayPal ends in @paypal.com. Anything with extra words bolted on — paypal-account-security.com, secure-paypal.info — is a lookalike.

2. A generic greeting

“Dear Customer.” “Dear PayPal User.” “Hello Member.” Because mass phishing runs go out to thousands of addresses at once, the scammer usually doesn’t know your name. PayPal does. A greeting that avoids your actual name is a strong tell.

3. Manufactured urgency

“Your account will be permanently limited in 24 hours.” “Unauthorised login — act now.” Fear is the whole engine of the attack. Real account issues don’t come with a ticking clock designed to stop you thinking. If a message is trying to panic you into acting immediately, that pressure is the red flag.

4. Links that don’t go to paypal.com

Before clicking anything, hover over the button or link (or press and hold on mobile) to preview where it truly leads. The text might read “Log in to PayPal” while the real destination is somewhere else entirely.

The button lies Button text: Confirm your account
Actual destination: http://paypa1-verify.com/login

A genuine PayPal login link lives on paypal.com. If the destination is a different domain, a shortened URL, or a raw IP address, don’t click.

5. A lookalike domain

The sharpest fakes use domains built to survive a quick glance — a technique called typosquatting, often using homoglyphs (characters that look identical but aren’t).

Spot the difference paypa1.com  (a number 1, not an “l”)
paypaI.com  (a capital i, not an “l”)
paypal-secure.com  (extra word bolted on)

When a domain almost looks right, read it again character by character — especially on a phone, where the address bar is short and easy to skim.

6. It asks you to “confirm” sensitive details

The entire point of a phishing page is to harvest what you type. Any PayPal email that routes you to a form for your password, full card number, bank details, or a one-time code should be treated as hostile. PayPal simply doesn’t ask for those by email.

7. An unexpected attachment

A “receipt,” an “invoice,” a “dispute form” — attachments are a classic malware delivery method. Be especially wary of .zip, .html, and Office files that ask you to “enable content.” If you weren’t expecting a file, don’t open it.

The 30-second PayPal email check

The tricky one: fake PayPal invoices and money requests

Here’s the scam that fools even careful people, and it hits freelancers and small businesses especially hard. Scammers abuse PayPal’s real invoice and “request money” features to send a genuine-looking bill — or a “you sent a payment of £419.99” notice — that actually originates from PayPal’s own systems.

Because the email really does come from PayPal, the sender domain checks out and the links may genuinely point to paypal.com. So the usual domain test isn’t enough. The tell is the content: an unexpected charge you never authorised, plus a phone number urging you to call to “cancel” or “dispute” it. That phone number connects you to the scammer, who then talks you into refunds, remote-access software, or gift cards.

Never call a phone number from inside a payment email. If you’re worried a charge is real, log in at paypal.com and check your activity there. If the invoice or request isn’t in your account, it isn’t a real charge — you can simply cancel or ignore it.

What to do with a fake PayPal email

Don’t click, don’t reply, don’t open attachments, and don’t call any number in it. Then:

  1. Report it to PayPal. Forward the whole email to phishing@paypal.com, PayPal’s official address for suspected spoof messages.
  2. Report it to your email provider. Gmail and Outlook both have a one-click “Report phishing” option, which helps protect other people too.
  3. Delete it. Once reported, remove it so you don’t click it later by accident.
  4. Check your account the safe way. If you’re still worried, log in at paypal.com directly — never through the email.

What if you already clicked or entered your details?

Don’t panic — act quickly. Change your PayPal password immediately on the real site and turn on two-factor authentication. If you entered card or bank details, contact your bank. We’ve written a calm, step-by-step guide for exactly this situation: what to do if you clicked on a phishing link. And if you want to get sharper at catching these before they catch you, see our rundown of the 8 warning signs of a phishing email. PayPal isn’t the only brand scammers impersonate this way — the same playbook drives the fake Amazon “account suspended” email, right down to the phone-number call-back trick, and the fake Google “security alert” email, which copies a notification Google genuinely sends.

Frequently asked questions

How can I tell if a PayPal email is real?

A real PayPal email greets you by your full name, comes from an @paypal.com address, and never asks for your password, full card or bank number, or a one-time code. Generic greetings, urgency, and links to any domain other than paypal.com point to a fake. When unsure, log in at paypal.com directly instead of using the email’s links.

Does PayPal send emails about limited or suspended accounts?

PayPal does sometimes contact you about account issues — which is why these fakes work. The difference is that a genuine notice won’t demand your password or card details through an email link, won’t use a non-paypal.com domain, and won’t rely on a countdown to rush you. Verify anything by logging in directly.

Can a fake PayPal invoice come from a real PayPal address?

Yes. Scammers can abuse PayPal’s real invoice and money-request features, so the email genuinely originates from PayPal. The giveaway is an unexpected charge plus a phone number to call. Never call it — log in at paypal.com to confirm, and the fake charge won’t be there.

Not sure about an email? Let Phixo check it

Phixo is a browser extension that checks the email open in your Gmail or Outlook against several of the signals above — sender and domain reputation, link mismatches, lookalike domains, and email authentication (SPF, DKIM, DMARC) — plus an AI read of the language, and flags anything suspicious in seconds. Free plan includes 10 scans a day, no credit card. A one-time Google or Microsoft sign-in keeps your scan count tied to your account.

Install Phixo free →

Your email body is never stored. Analysis happens in real time and is discarded immediately.