🎯 Phishing by Proxy: How I Caught a Fake PayPal Payment Alert Before It Hooked Me

A real-looking scam hiding in plain sight

Why It’s Important

Phishing emails are getting bolder. This wasn’t just a spammy message, it was a cleverly crafted callback scam sent from a legitimate PayPal domain. It used PayPal’s own infrastructure to deliver a fraud attempt designed to trick me into calling a fake number or panicking over a made up transaction.

Even more alarming? It slipped past spam filters and appeared authentic. If you’ve ever received an email about a surprise transaction and considered calling “customer service,” this one’s for you.

---

What Happened and Why It’s Suspicious

I received an email from service@paypal.com with the subject line:

“Your automatic payment status has changed.”

At first glance, it looked legit - even passing DKIM and DMARC authentication, which typically confirms the email came from the real PayPal mail servers. But digging deeper revealed a trap.

Red Flags in the Header

Here’s where the scam reveals itself under scrutiny:

• SPF SOFTFAIL: The SPF (Sender Policy Framework) check failed softly. This suggests the message wasn’t authorized by the domain’s sending policy, even though it passed other checks. It may be a forwarded message or spoofed under controlled conditions.

• Wrong Recipient Routing: The email’s visible “To” address was Invoice Update <receipt10@fldiscover.review>, not my Gmail. This mismatch indicates the email was blasted out in bulk - a tactic used by scammers hoping it lands in someone’s inbox.

• ARC Authentication Passes: ARC (Authenticated Received Chain) logs show the message bounced through valid servers. But this alone doesn’t prove intent, just delivery.

---

Red Flags in the Content

Here’s what the email said and why it screamed “scam.”

• No Personal Greeting: Instead of using my real name (which PayPal always does), it started with:
  
  “Hello Invoice Update”
  

• Suspicious Transaction: It claimed a canceled automatic payment for:
  
  Apple Store USA - iPhone 17 Pro Max 512GB - Amount: ¥4999.00 JPY
  
  But I never had any such payment scheduled.
  

• Bogus Contact Info:
  

  • “Customer Service Email”: donot-reply@apple.store

  • “Customer Service URL”: http://www.applestore.usa.com
    These domains are not owned or operated by Apple and are likely setup for phishing or malware drops.
    

• Obfuscated Phone Number: The “Note from seller” included a weird Unicode version of a phone number, designed to bypass spam filters while prompting users to call, classic callback phishing.

• Real PayPal Template: The design and footer were genuine, as scammers used PayPal’s legitimate invoice/billing email infrastructure to send the message. This creates a false sense of legitimacy.
  

☕Want to support my work? Consider buying me a coffee

---

What This Scam Tries to Do

This type of attack is called callback phishing. Instead of tricking you into clicking a fake link, the email urges you to call a number, usually under the guise of a fraudulent charge. Once you call, scammers might:

• Convince you to install remote-access tools

• Extract sensitive account info or card numbers

• Trick you into “refunding” an amount you never paid

• Use social engineering to manipulate you further

By leveraging real brands (PayPal and Apple) and delivery from authentic mail servers, it bypasses many traditional email security measures.

---

How to Keep Yourself Safe

If you receive an email like this, here’s how to break the scam’s spell before it hooks you:

1. Never call numbers in suspicious emails
   Instead, go to the official site (like paypal.com or apple.com) and contact support through verified channels.
   

2. Check for your name
   If a PayPal email doesn’t include your full name, it’s likely a scam. Legitimate PayPal messages always use your full registered name.
   

3. Inspect email addresses and URLs
   Don’t trust what’s visible - hover over any links to reveal hidden destinations. Avoid clicking on anything if you’re unsure.
   

4. Report and delete
   Forward phishing attempts to spoof@paypal.com, then delete the email from your inbox and trash.
   

5. Log into PayPal directly (don’t click links)
   Navigate to Activity → Subscriptions and look for:

   • Invoice ID: I-KJVS813WG0A4

   • “Apple Store USA” or similar fake merchants
     If anything appears, cancel or report it immediately.
     

6. Enable Two-Factor Authentication (2FA)
   It adds an extra layer of protection if scammers somehow gain your login credentials.
   

7. Use mail filters to stop future attempts
   For example, in Gmail:

   • Search for emails that contain:
     applestore.usa.com, donot-reply@apple.store, or “automatic payment is no longer active”

   • Then create a rule to automatically delete them.

---

How to Double-Check Inside PayPal

If you’re concerned this kind of scam targeted your account:

1. Visit paypal.com manually.
   

2. Click on:

   • Settings → Security → Manage your logins

   • Activity → Automatic Payments
     

3. Cancel any unknown agreements.
   

4. Also check:

   • Connected apps

   • Recent logins
     Remove any you don’t recognize.

---

What Makes This Tactic Effective

The reason this scam almost fooled me is that it came from a legitimate source. The email passed DMARC and DKIM, used official branding, and arrived through PayPal’s real servers.

But here’s the trick: while delivery was authentic, the content wasn’t. PayPal allows merchants to create invoices or billing notices. Scammers exploit that feature, fill in fake details, and wait for someone to bite.

That’s why authentication checks alone aren’t enough to prove legitimacy. The context and content matter just as much.

---

One Smart Tool That Can Help

🛡️ Try using a transaction monitoring service like Privacy.com to create virtual cards for online subscriptions. That way, even if scammers try charging a fake agreement, they’ll hit a firewall, not your real card.

You can also revoke access instantly without canceling your actual credit card.

Stay One Step Ahead

Hackers are evolving and now they’re borrowing trust from the very platforms we rely on. Learn to trust actions, not appearances.

🚀 Ready to level up your digital security?

👉Schedule a free consultation for a personalized risk evaluation.

👉Follow for real-world guides, tools, and exclusive insights:

Stay Connected

Substack | BlueSky | CyberLifeCoach | Gumroad | FastAlert

Stay sharp, stay secure.

-CyberLife Coach

---

Have you ever received a suspicious invoice email that looked completely real? What tipped you off, or what almost fooled you?

Comments

[Kayla]

Thank you for posting this! I just received the same email and this helped me fact check it!

[Cyber Safety Watchdog]

Great post! It’s ironic they would be so advanced with the PayPal domain but so messy with the other details!