“Your account has been limited.” “You sent a payment of £419.99.” PayPal is one of the most impersonated brands in phishing — so if an email has your stomach dropping, here’s exactly how to tell a real PayPal message from a fake.
Published 3 July 2026 · ~7 min read · By the Phixo team
A message lands claiming your PayPal account is “limited,” that someone logged in from a new device, or that you just sent hundreds of pounds to a stranger. Your heart rate jumps and your finger hovers over the button. That reaction is exactly what the scammer is counting on.
The good news: real PayPal emails follow a few consistent rules, and fakes almost always break at least one of them. Here’s how to check in under a minute.
A PayPal email is very likely fake if any of these are true: it greets you as “Dear Customer” instead of your name, it comes from an address that doesn’t end in @paypal.com, it pushes a countdown or threat, or it asks you to “confirm” your password or card details through a link. When in doubt, don’t use anything in the email — open a fresh browser tab, type paypal.com yourself, and log in there. If there’s a genuine problem, it will show up in your account.
Knowing the genuine pattern makes the fakes obvious:
The display name is trivial to fake — anyone can label an email “PayPal Service.” What’s harder to fake is the address behind it. Tap or click the sender name to reveal the full address and look at the part after the @.
Real PayPal ends in @paypal.com. Anything with extra words bolted on — paypal-account-security.com, secure-paypal.info — is a lookalike.
“Dear Customer.” “Dear PayPal User.” “Hello Member.” Because mass phishing runs go out to thousands of addresses at once, the scammer usually doesn’t know your name. PayPal does. A greeting that avoids your actual name is a strong tell.
“Your account will be permanently limited in 24 hours.” “Unauthorised login — act now.” Fear is the whole engine of the attack. Real account issues don’t come with a ticking clock designed to stop you thinking. If a message is trying to panic you into acting immediately, that pressure is the red flag.
Before clicking anything, hover over the button or link (or press and hold on mobile) to preview where it truly leads. The text might read “Log in to PayPal” while the real destination is somewhere else entirely.
A genuine PayPal login link lives on paypal.com. If the destination is a different domain, a shortened URL, or a raw IP address, don’t click.
The sharpest fakes use domains built to survive a quick glance — a technique called typosquatting, often using homoglyphs (characters that look identical but aren’t).
When a domain almost looks right, read it again character by character — especially on a phone, where the address bar is short and easy to skim.
The entire point of a phishing page is to harvest what you type. Any PayPal email that routes you to a form for your password, full card number, bank details, or a one-time code should be treated as hostile. PayPal simply doesn’t ask for those by email.
A “receipt,” an “invoice,” a “dispute form” — attachments are a classic malware delivery method. Be especially wary of .zip, .html, and Office files that ask you to “enable content.” If you weren’t expecting a file, don’t open it.
Here’s the scam that fools even careful people, and it hits freelancers and small businesses especially hard. Scammers abuse PayPal’s real invoice and “request money” features to send a genuine-looking bill — or a “you sent a payment of £419.99” notice — that actually originates from PayPal’s own systems.
Because the email really does come from PayPal, the sender domain checks out and the links may genuinely point to paypal.com. So the usual domain test isn’t enough. The tell is the content: an unexpected charge you never authorised, plus a phone number urging you to call to “cancel” or “dispute” it. That phone number connects you to the scammer, who then talks you into refunds, remote-access software, or gift cards.
Never call a phone number from inside a payment email. If you’re worried a charge is real, log in at paypal.com and check your activity there. If the invoice or request isn’t in your account, it isn’t a real charge — you can simply cancel or ignore it.
Don’t click, don’t reply, don’t open attachments, and don’t call any number in it. Then:
Don’t panic — act quickly. Change your PayPal password immediately on the real site and turn on two-factor authentication. If you entered card or bank details, contact your bank. We’ve written a calm, step-by-step guide for exactly this situation: what to do if you clicked on a phishing link. And if you want to get sharper at catching these before they catch you, see our rundown of the 8 warning signs of a phishing email. PayPal isn’t the only brand scammers impersonate this way — the same playbook drives the fake Amazon “account suspended” email, right down to the phone-number call-back trick, and the fake Google “security alert” email, which copies a notification Google genuinely sends.
A real PayPal email greets you by your full name, comes from an @paypal.com address, and never asks for your password, full card or bank number, or a one-time code. Generic greetings, urgency, and links to any domain other than paypal.com point to a fake. When unsure, log in at paypal.com directly instead of using the email’s links.
PayPal does sometimes contact you about account issues — which is why these fakes work. The difference is that a genuine notice won’t demand your password or card details through an email link, won’t use a non-paypal.com domain, and won’t rely on a countdown to rush you. Verify anything by logging in directly.
Yes. Scammers can abuse PayPal’s real invoice and money-request features, so the email genuinely originates from PayPal. The giveaway is an unexpected charge plus a phone number to call. Never call it — log in at paypal.com to confirm, and the fake charge won’t be there.
Phixo is a browser extension that checks the email open in your Gmail or Outlook against several of the signals above — sender and domain reputation, link mismatches, lookalike domains, and email authentication (SPF, DKIM, DMARC) — plus an AI read of the language, and flags anything suspicious in seconds. Free plan includes 10 scans a day, no credit card. A one-time Google or Microsoft sign-in keeps your scan count tied to your account.
Install Phixo free →Your email body is never stored. Analysis happens in real time and is discarded immediately.