Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices.
In those cases, scammers created a PayPal subscription and then paused it, which triggered PayPal’s genuine “Your automatic payment is no longer active” notification. They also set up a fake subscriber account, likely a Google Workspace mailing list, which automatically forwarded any email it received to all other group members. Recently, ConsumerWorld org alerted us that tech support scammers have found a way to manipulate the subject line of PayPal payment notifications.
Read more…
Source: Malwarebytes Labs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Newly discovered cyberspy crew targets Asian governments and corporations
September 6, 2022
A cyberespionage group has targeted government agencies and big-name corporations throughout Asia since at least 2020, using the notorious ProxyShell vulnerabilities in Microsoft Exchange to gain initial access. According to ESET, the crew it has dubbed as Worok may be associated with TA428, a similar group thought to be backed by China, that has been around ...
- Los Angeles school district says it was target of ransomware attack
September 6, 2022
The Los Angeles Unified School District, the second-largest collection of public schools in the United States, said it was targeted by a ransomware attack over the Labor Day weekend that caused “significant disruption” but did not lead to cancellation of classes. “Los Angeles Unified detected unusual activity in its Information Technology systems over the weekend, which ...
- SharkBot malware sneaks back on Google Play to steal your logins
September 4, 2022
A new and upgraded version of the SharkBot malware has returned to Google’s Play Store, targeting banking logins of Android users through apps that have tens of thousands of installations. The malware was present in two Android apps that did not feature any malicious code when submitted to Google’s automatic review. However, SharkBot is added in an ...
- KeyBank: Hackers of third-party provider stole customer data
September 3, 2022
Hackers stole personal data including Social Security numbers, addresses and account numbers of home mortgage holders at KeyBank, the bank reports, in the breach of a third-party vendor that serves multiple corporate clients. The hackers obtained the information on July 5 after breaking into computers at the insurance services provider Overby-Seawell Company, according to a letter ...
- IRS data leak exposes personal info of 120,000 taxpayers
September 3, 2022
The Internal Revenue Service has accidentally leaked confidential information for approximately 120,000 taxpayers who filed a form 990-T as part of their tax returns. IRS Form 990T is used to report ‘unrelated business income’ paid to a tax-exempt entity, such as nonprofits (charities) or IRA and SEP retirement accounts. This income is commonly derived from sales unrelated ...
- Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm
September 2, 2022
In March 2021, Trend Micro researchers investigated a backdoor with a unique modular architecture and called it BumbleBee due to a string embedded in the malware. Its type of modular framework has made Trend Micro static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its ...

