You can usually spot scam emails through the sender information—not who’s listed in the From field, but what the message actually says. A legitimate email originates from servers tied to the site’s domain. But if PayPal’s recently notified you of a new address added to your account, proceed with caution. The sender will check out, but the email likely contains a phishing attempt.
As investigated by Bleeping Computer, this particular scam abuses PayPal’s gift address feature. When a new address is added, the company does generate a real email about the event (“You added a new address”). But bad actors can manipulate these messages by pasting a long message into an address field, then having the notification sent to an email account that functions as a distribution list.
The result is the embedding of a phony warning that leads users to a phony call support center, which instructs them to download and install software granting remote access to the PC. And because the notification about an added address gets forwarded to multiple email addresses, scammers can hit many targets at once. (Turns out scammers also try to work smarter, not harder.)
You can read the full details of the scheme in Bleeping Computer’s impressive write-up, which details the outlet’s dig into the nuts and bolts of the ploy. As the article points out, PayPal needs to fix the issue by limiting the number of characters allowed in form fields.
However, whether PayPal makes such a change (at press time, Bleeping Computer was still awaiting a response from PayPal), this situation is a cautionary tale. As wise as it is to learn individual signs of scams, no single signal is enough to verify authenticity.
You should still learn them, of course. They help set off your spidey senses that something’s just not quite right. But to actually stay safe, lean on standard advice: Always use a number you’ve verified when calling a business and head directly to a website in a separate tab if asked to log in. PayPal users who logged in independently saw immediately that no new addresses had been added. Because they hadn’t clicked on a link to do so, they could breathe easy after getting that confirmation.
In general, we all have to be more careful about sophisticated scams, especially since they’re becoming more common in 2025. Injecting false info into a legitimate email won’t be the only clever attempt to dupe the unsuspecting—and thanks to AI aiding the bad guys just as much as the good guys, such campaigns will become even harder to spot.
