![\"PayPal](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/10\/1761478514_939_960x0.jpg\")
<\/p>\n<\/p>\n
Do not pay, do not phone \u2014 PayPal attack warning<\/p>\n
Getty Images<\/p>\n
Updated October 26 with an official statement from PayPal regarding the do-not-pay, do-not-phone hack attack, as well as further advice on how to detect, deflect and deal with such threats.<\/p>\n
Gmail users have been warned of a surge in image-based attacks<\/a>, TikTok users are facing a VIP upgrade offer threat<\/a>, and Lastpass has urged users not to change their master passwords as a you\u2019ve been hacked<\/a> email circulates. Now, security experts at KnowBe4 have issued a warning for PayPal users as cybercriminals use a genuine PayPal email address to send an invoice. Paypal itself has responded to this attack with a \u2018do not pay, do not phone\u2019 warning. Here\u2019s everything you need to know about the latest scam that could prove costly if you don\u2019t follow the advice given.<\/p>\n ForbesAct Now \u2014 Microsoft Issues Emergency Windows Update As Attacks BeginBy Davey Winder<\/a>PayPal Invoice Attack \u2014 What You Need To Know<\/p>\n The latest PayPal attack warning dropped into my email from the folks at KnowBe4 this week, informing me to be aware of a scam that purports to be from PayPal and is even delivered from a genuine PayPal email address. \u201cYou receive an email from a real PayPal email address,\u201d the email warned, which \u201ccontains an invoice for a large purchase you did not make, and a phone number for you to call if you want to dispute the charge.\u201d<\/p>\n This may well sound familiar, not least as this type of TOAD attack<\/a> is something I have detailed before. A Telephone-Oriented Attack Delivery threat usually contains a PDF invoice or other seemingly official document, along with messaging that uses urgency and fear of financial loss to persuade victims to call an adversary-controlled phone number.<\/p>\n Indeed, the actual PayPal version of the TOAD attack is not new either. I have warned again<\/a> and again<\/a> of the dangers of this scam. But nevertheless, it would appear, the very same attack is doing the rounds once more.<\/p>\n ForbesLastPass Warns \u2018Are You Dead?\u2019 Master Password Hack Attacks OngoingBy Davey Winder<\/a><\/p>\n \u201cCybercriminals create a PayPal account and use it to send you a fake payment invoice,\u201d KnowBe4 warned, \u201cthe email you receive is real, but the invoice is not, and if you call the phone number in the email, you will not be connected to PayPal’s support team.\u201d Instead, you get through to a threat actor impersonating a PayPal support worker but whose aim is to relieve you of your credit card details in order to refund you, or even ask for a fee to fix your \u2018hacked\u2019 account.<\/p>\n Scammers can \u201csend fraudulent invoices, send fake messages using the involved messaging services, and even insert fake messages in the company\u2019s \u2018refund\u2019 feature,\u201d Roger Grimes, KnowBe4\u2019s CISO advisor, said. \u201cThis particular scam, involving PayPal, has been around for many years as well. I\u2019m not sure why PayPal isn\u2019t better at detecting and blocking them,\u201d Grimes concluded.<\/p>\n PayPal Responds To The Do Not Pay Attack Warning<\/p>\n Of course, it\u2019s important to remember that such phishing attacks are not unique to PayPal, with many well-known brands targeted by attackers. Although security protections won\u2019t save you from this PayPal attack, as they cannot detect the email as fake, because it isn\u2019t, as far as the origin is concerned, you, as a human being, should be able to save yourself. The hackers still have to phish you, after all. The advice is clear: anyone receiving an unexpected or suspicious invoice or payment request, whether it appears to be from PayPal or another service, should not pay it or respond to it. PayPal tells me it is responding to the continual evolution of scamming tactics and methods, taking all the necessary steps to protect customers. These include a combination of manual investigations and technology to prevent fraud, including taking proactive actions like limiting scam accounts or declining risky transactions. But remember, be careful out there.<\/p>\n Furthermore, PayPal warns customers not to call any phone number, open any attachments or click on any links contained within \u201csuspicious invoices or money request messages.\u201d<\/p>\n Checking your PayPal account directly, not using any links in an email or document you have been sent, to look for suspicious transactions of the type that such phishing campaigns claim, is highly recommended, as this can stop you going any further before you even start.<\/p>\n ForbesSecure Your WordPress Website Now \u2014 8.7 Million Attacks In 48 HoursBy Davey Winder<\/a><\/p>\n If you think you may have already been tricked into doing so, and have shared any personal information or account details, then it\u2019s of the utmost importance that you change your PayPal password immediately. If you use this password for any other accounts, and please, please, please do not do that, as it expands your attack surface enormously for obvious reasons, then you must change those as well. Just make sure to use something unique and strong. A password manager is your friend here, as it makes the process of creating and using complex and random passwords, unique to each and every account and service, easy peasy. Enabling two-factor authentication shouldn\u2019t be something that you need reminding of, but I will anyway: so do it if you haven\u2019t already. Better still, switch to using a passkey if the option is available. PayPal also advised that in such circumstances, customers should contact both PayPal itself and the financial institutions concerned. <\/p>\n Enable your PayPal passkey now.<\/p>\n PayPal<\/p>\n PayPal has said that it partners with leading consumer protection institutions, such as the Better Business Bureau, American Association of Retired Persons, Federal Trade Commission and the Aspen Institute. PayPal has also launched a Smarter Than Scams campaign with the Financial Technology Association to raise awareness of the latest common fraud trends. I highly recommend taking a look at the PayPal anti-scam resources, even if you think you already know how to spot one.<\/p>\n I approached PayPal for a statement, and a spokesperson told me: \u201cWe do not tolerate fraudulent activity on our platform and our teams work tirelessly to protect our customers. We are aware of this phishing scam and encourage people to always be vigilant online and mindful of unexpected messages. If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page<\/a> for assistance.\u201d <\/p>\n