New type of PayPal spam discovered

News by Roi Perez

Security researcher Troy Hunt has come across a new type of spam – $0 invoices from PayPal accounts. These emails evade spam filters as they fail to trigger the typical characteristics of a suspicious email.

Sharing a screencap on his website of an email of dubious origin, Hunt explains how the email managed to get through to him as it is in fact a legitimate PayPal email, just one that asks for no money.

When looking into the email, Hunt said he looked for all the indicators that might show it was real or not, but found the email was from, the mail headers were correct and the “View and Pay Invoice” button linked directly to 

So he got in touch with PayPal by email to discuss the situation.

After a conversation with PayPal on the topic, Troy said that, “Without any feedback from PayPal or other evidence to the contrary, it looks like they're serving as the delivery mechanism for spam which, of course, won't be flagged as spam because it's a “legitimate” email from them. The message in the 'invoice' is quite clearly just that – spam – and this is almost certainly an abuse of the PayPal invoicing system.” 

As of yet, PayPal have not found a solution to this problem. Graham Cluley chimed in and recommended that if you get sent a $0 invoice from PayPal to send it to

A PayPal spokesperson got in touch with SC to say that, “This is not an intended use of one of our merchant services and we are taking steps to prevent this from happening.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike