/ Shopping, Technology

Is the latest PayPal imitation scam email the most sophisticated yet?


Scammers are ramping up their efforts to catch you out with their phishing emails – and the latest PayPal imitation scam email is frighteningly realistic.

This week a friend received one of the most convincing PayPal imitation scam emails we’ve seen.

From email, sign-in page to personal detail form, it features a well-thought-out user journey.

How it works

It starts with the email, which looks like a receipt confirmation and cleverly guides you to click on a link to dispute a transaction. You won’t recognise the name the transaction shows because it’s fake and has been made up by the scammer.


Once you’ve landed on the sign-in page, you’re guided to type in your email and password.

paypal fake landing page

In all likelihood, if you make it this far without any suspicions, you’ll type in a genuine email address and password. This information would then belong to the scammer and enable them to access your real account.

Even if you make a slight mistake with your email and password, you’ll still progress to the personal detail form, as we’ve found that all the form needs is an ‘@’ sign somewhere in the email address field.

On the Personal Information Profile page, it asks you to enter your personal information to verify your identity.

paypal scam email

Not only are you told to enter in your billing address and card details, you’re also asked to enter in your mother’s maiden name, branch code and account number for ‘verification’ purposes.

This is an extensive and thorough attempt to capture as much financial information about you as possible, so accessing your account is easier for the scammers.

What you should do?

You should always be wary when asked to part with this much information and report a scam to the internet service provider as well as the company it’s pretending to be.

If you think you’ve received a suspicious email purporting to be from PayPal or have been directed to a fake website, forward it to spoof@paypal.com and it will investigate it. PayPal advises that you then delete if from your inbox.

If you clicked on any links or downloaded any attachments within the suspicious email or website, you should also log into your account, view your transactions and change your password.

If you think you may have given a fraudster your bank details, contact your bank as soon as possible.

If you’ve already noticed unauthorised transactions taking place, read our guidance on how to get your money back after a PayPal imitation scam and use our free letter template to write to your bank.

Extra details to look out for

When a scam becomes more sophisticated and the usual tell-tale signs of bad spelling and grammar aren’t there, you can examine the details of the email and landing pages more closely for some clues.

  • The design: For the more regular PayPal users among us, you’ll notice that the design of this imitation scam email is now out of date. PayPal upgraded its look and feel early last year, leaving behind the design matching this scam.
  • The date: The more eagle-eyed might also glance to the copyright date at the bottom of the log-in page and the personal detail form and notice they aren’t updated to include 2017.
  • The landing page URL: The landing page web address didn’t match that of PayPal. Always check the URL against the real site if you’re unsure.

PayPal has also published guidance on what its users should look out for more generally when it comes to spotting scam emails.

Did you receive the same email? What did you do about it? And what do you usually check for if you think you’ve received a scam email?


Any chance of enlarging the Paypal details please?

It would be interesting to know the website address you were taken to.

Hi @alfa

@adam-gillett has worked his magic on the images, so hopefully you should be able to see them more clearly now.


You should now be able to click the image previews to open them at full size in a new tab.

I’m afraid we’ve obscured the landing page URL for security’s sake, but often these landing pages are hosted on multiple sites – usually legitimate business websites that have been hijacked in advance.

Thank you.

If you computer is receiving emails that have links to malware or download malware then your email service is not protecting you . Many times on Which I have complained about BT,s American email service who,s server doesn’t offer virus protection but its “opposite number ” Yandex , a Russian email service does –for free . I have watched virus emails being downloaded to my email client by BT Mail but not by Yandex which puts it in trash/junk. Why ? because it does the interrogating for you , its my one criticism of the BT service as BT has been very helpful to me even in the past few days . You can install many apps that block this type of thing and even pay for your emails to be intercepted to check for viruses .

I mentioned before I had trouble getting Which,s surveys to click on -yes/no that BT Mail was putting it into the spam folder and so my email client wasn’t getting them . I have found a linkup , it seems BT Mail has been putting several email addresses with the same start word into the spam folder and that word is INFO obviously a “keyword ” for spam in their book . I have put them down as “safe mail ” and will watch to see if this works.

An interesting and timely topic. This morning a PayPal email was waiting for me, telling me the usual – that the account had been compromised, etc. and offering the usual link. There was, however, an interesting development with the link.

Instead of a ‘cloaked’ link, it appeared to be a genuine URL – https://www. etc.. and it wasn’t until I examined its code I could see the redirect. Very subtle, very hard to see and far more sophisticated than any previous scams.

Scam emails have become so common that it is time to make it illegal for any company or other organisation handling money to include links in emails. A good start would be a Which? campaign.

Anne Broad says:
16 May 2017


Talking of links in emails I hope no Which Regulars or posters use DocuSign that provider of electronic signature technology as it has been hacked and emails sent to -click on this -as the data stolen was customer and user email addresses.

The problem is that scam emails will still include the mischievous links and people will still click on them – giving them a problem. Clicking on a legitimate company’s link will not give a problem. I can only see education as the solution – don’t click on links.

Convos include unchecked links from trusted contributors. How do I know when “wavechange” includes a link that it is….er…wavechange and not a hacker?

Life is tricky, isn’t it.

I never use a link from any email unless I am very certain of the sender. Go to the site independently – through your bank’s for example.

It would help malcolm if people installed – Clean Links app – for Firefox/Chrome /etc or if , like me, — you have Yandex where I have installed Dr Web Link Checker + virus checker , yes it works on Linux . It also works on Mac/iPhone /Ubuntu/ Android as well as Windows. I also have a wide range security app covering malware domains etc which does work bringing up a webpage telling you the website has malware. I tried it out on Windows a long time ago as I was ditching MS so I know it works.

Duncan – My approach is not to click on links about anything financial and I keep a computer specifically for financial transactions. I may be living on borrowed time but I am not aware of a single problem. At work I used Windows computers to run software not available on the Mac and did have some annoying but not serious problems with malware.

Malcolm – It’s not easy to distinguish a spoofed email address from a real one so the best solution is to either ignore the email or contact the relevant organisation using the details provided on their website.

I look back to the early days of the World Wide Web and the NCSA Mosaic web browser, when we could enjoy using computers online without worrying about security issues.

And your opinion on the stupid idiot in government that is trying to remove an ISP,s encryption installing back-doors just like MS to make your computer always vulnerable to hackers so all your security is made null and void as per the latest NSA back doors malware hackers obtained . Just look at the never-ending security updates to Windows – perpetually just because they want total control of your computer. WE could end up being a security liability to foreign countries servers and the internet in the UK being allowed limited international access , but wait a minute , that could be the aim anyway. You think the Snoopers Charter is bad enough just wait till he gets his way. Number 1 spied on country =UK. Thats how servers work if a computer that is heavily compromised tries to access some websites it can be blocked , that happens in the USA . As well as that your IP address is made known as a danger to the web.

I don’t doubt that you have valid concerns, Duncan. When I set up my first website in 1995 I was able to have a very good idea of who was using it from the logs of IP addresses combined with other information such as emails. It’s best to assume that everything we do on computers is tracked. However, we need anything involving financial transactions to be as secure as reasonably possible.

kel meyler says:
14 January 2017

I get regularly get emails from so called Paypal fortunately they do go into my scam box so that gives me my first clue, I then forward them on to spoof@paypal.co.uk for them to confirm it a scam email.

The other one ‘Which’ should look into are these computer scammers pretending to be from Talktalk, BT, Windows who ever you may be with, informing you that they have detected a fault with your router or operating system. I am so use to them now that I have reached the point where I engage in conversation with them pretending to follow their instructions only to be cut off like a bolt of lightening when I mention the word scam to them.

Is Paypal using DMARC with their emails ? If not, maybe it’s time for all companies to start using it. As it seems to help highlight fake emails. And for those not in the know … https://governmenttechnology.blog.gov.uk/2016/10/04/why-you-should-be-doing-dmarc/

Dmarc operates along the lines of the Yandex Mail service I have. It has a Spam and Virus filter by Dr.Web(Russian virus control company ) it moves that type of email into the junk box IE- virus laden and phishing emails , its just a pity BT Mail doesnt , I wish it did and then I would have a better time defending BT . William- PayPal is working on major mailbox providers to do just that -read PayPal Engineering : https://www.paypal-engineering.com/tag/dmarc/

bishbut says:
16 January 2017

I always read ALL Emails at least twice the second time very carefully if the first time of reading raises any slight suspicious I look for anything that could be suspicious many have the same things in them I received one from Which which had suspicious looking things in it so I checked with Which buy a known web address It was genuine If in any doubt at all I delete if I cannot check by other means than that on the email I know that I have deleted genuine ones better be safe than sorry Some people will always fall for the most simple and known about scam Fact ! People??

Patrick Taylor says:
16 January 2017


Reportedly one of the most convincing phishing attacks yet.

Alan Braddock says:
16 January 2017

I get quite a lot of these; they are so infantile, it amazes me that people fell for them. I just junk them – in fact anything from PayPal. The best cure for all these scams is quite simple – Don’t believe anybody who emails or phones you about money and furthermore – DON’T BANK ONLINE – I spent 30 years in the computer industry and there isn’t anything that cannot be compromised. When buying online get yourself a Credit card with a very low limit – say £500 – not linked directly to your bank account – and only use that (never use a Debit card online). Then you’ll only lose that amount. (Oh, and just wait till somebody finds out how to knock out satellite software, then we’ll really have fun…)

Now if I had said that last line Alan- Con, theorist would spring to many minds , your quite right of coarse but you are up against “society ” telling you to buy -buy-buy- —on the Internet. The whole global economy is now hinged on Internet banking and service aka-Globalisation its just going to get worse , they will refuse to take your advice because it goes against modern capitalism so the small man/woman will continue to get ripped off just wait till we are all forced onto online banking , get rid of this banking system and go back to gold and keep within our means. Its all down to control , they control us.

bishbut says:
16 January 2017

Any system that uses computers or systems is not 100% secure If someone wants to break into any system they can and many will Those just messing about on a computer quite often get access by accident and then can do whatever they want But I still use mine knowing that silly me

Im on Talktalk mail and I dont think they do anything against spam I report about eight a day to Talktalk .If I get mail from my bank ,Amazon or Paypal I never go onto a link I go into my account from a new tab and if I have no new mail on their site i report the spam to them.

Stuart – I have never bothered checking up on Talk-Talk Mail as you are the first poster I have come across that has made a point of this . As you know I am with BT Mail of which I have complained about the same thing but I see recently they have put any into the junk , I will be keeping an eye on that , I also have Yandex Mail which definitely has a spam/virus filter but I was shocked on checking out several official Talk-Talk forums that they are full of complaints about this and Talk-Talk doesnt seem to do anything about it . Anything from 20 to 100 a day it seems and the astute person getting those 100/day checked into the URL -it was coming via Opaltelecom.net who-suprise-suprise found that the company is a subsidiary of Talk-Talk ,you can see the financial “incentive ” not to take action (at least the person at the receiving end of 100 SPAM emails /day did ).. stop press ! one poster is now getting 200 SPAM emails a day Talk-Talk after many complains said they have blocked it now BUT another poster wrote in saying quote-they just changed the domain name and—200 SPAM /day . MY point its perfectly possible with the correct virus control on the server to block this but many companies wont do it as it is lost revenue and YES !! they can distinguish spam from normal mail , they just wont do .

[Sorry, your comment has been removed for breaching Community Guidelines https://conversation.which.co.uk/commenting-guidelines/. Thanks, mods.]

[Sorry, Duncan, your comment has been removed because of the above. Thanks, mods.]

Dorothy says:
16 October 2017

The one I got this morning seems to be even worse as when I used forward to paypals spoof address as requested by them the text changed to some personal details which may or may not be genuine. I can forward to Which if you wish.

alan moore says:
12 August 2018

Had email 10/08/2018 from paypal stating that my debit card ( the last 4 numbers shown on msg) was about to expire, actual expiry date is 01/19,it is a bit of a worry how they have my card number