Reason to be careful if ‘PayPal’ says you have changed your email address

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Have you received a notification claiming that your PayPal email address has changed?

Messages like the following have been spammed out to internet users:

PayPal phishing

Subject: You have changed your PayPal email address

Sign up to our free newsletter.
Security news, advice, and tips.

Attachment: Personal Profile Form - PayPal-.htm

Message body:
Dear PayPal Customer,

You have added [EMAIL ADDRESS] as a new email address for your Paypal account.

If you did not authorize this change, check with family members and others who may have access to your account first. If you still feel that an unauthorized person has changed your email, submit the form attached to your email in order to keep your original email and restore your Paypal account.

NOTE: The form needs to be opened in a modern browser which has javascript enabled (ex: Internet Explorer 7, Firefox 3, Safari 3, Opera 9)

Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

If you choose to ignore our request, you leave us no choice but to temporary suspend your account.

Sincerely, PayPal Account Review Department.

Attached to the email is an HTML form (Personal Profile Form – PayPal-.htm), that requests you enter your personal information.

Of course, the email is not really from PayPal (who would never send you an HTML form via email anyway), and any information you enter will soon be in the hands of phishing cybercriminals.

PayPal is one of the most phished brands on the internet, as unlike traditional banks it has a truly global presence increasing the chances of a scammer successfully hooking a victim when they spam out their attacks en masse.

PayPalTo its credit, PayPal offers advice about phishing on its website, and has even created a “Can you spot phishing?” challenge to help educate its users about the dangers.

The PayPal website asks that if you receive a spoof email to forward it to their security team.

Make sure that you take care when receive unsolicited emails, seemingly from PayPal. It could be that in your haste to fix a security problem you are handing your credentials over to a criminal.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.