Fake Browser-Update Pop-up Delivering PayPal Credential-Stealing Malware
Malicious websites targeting PayPal users display convincing browser-update overlays that, when clicked, install keyloggers or form-hijacking malware that captures PayPal login credentials and card details the next time the victim visits paypal.com.
Part of: Fake Browser Update Malware Popups
Last reviewed: 8 June 2026
Browser-update pop-ups are a well-established malware delivery technique: a convincing overlay appears on a website claiming the user's browser is outdated and needs updating to continue. The download button delivers malware rather than a real browser update. When these pop-ups are paired with PayPal's branding or appear on sites that PayPal users frequently visit, the psychological combination — a known trusted brand plus an urgent technical prompt — reduces scepticism.
The malware delivered by fake browser-update overlays targeting PayPal users typically functions as a form-stealer or keylogger. Rather than attacking PayPal's systems directly, it silently monitors the victim's browser activity and captures data entered into forms — including the PayPal login fields — the next time the victim visits paypal.com legitimately.
This makes the attack especially hard to spot: the victim's own PayPal session looks completely normal, but in the background their credentials and any payment details they enter are being exfiltrated.
How this scam works on the PayPal brand
Genuine browser updates are delivered through the browser application itself — Chrome updates through its built-in update mechanism, Firefox through its own update flow — never through pop-up overlays on third-party websites. Any website that claims your browser must be updated via a download from that site is attempting to deliver malware.
The PayPal-targeted variant commonly appears on compromised WordPress sites, counterfeit PayPal help-article pages, and sites that rank highly in searches for 'PayPal customer support.' The overlay claims that PayPal requires an updated browser version to process secure payments, and that the victim's browser is incompatible.
After the malware installs, the victim returns to paypal.com as normal. The malware hooks into the browser's form-submission events and forwards entered usernames, passwords, and any payment-card numbers to the attacker's server before submitting the form to PayPal itself — the victim never notices the interception.
Common red flags
- A website displays a pop-up claiming PayPal requires a browser update and offers a download
- The pop-up overlay looks like a browser UI but is actually part of the webpage
- The download is an executable or installer, not a browser update from your browser's official settings
- The site you are on is not paypal.com but references PayPal prominently
- The pop-up warns of 'PayPal security certificate errors' or 'outdated PayPal security module' — these are not real technical concepts
- Closing or ignoring the pop-up makes the underlying page inaccessible — high-pressure manipulation
How to protect yourself
- Always update your browser through its own settings menu — never through a pop-up on a website
- Keep browser and OS updates current through official channels so attackers cannot use genuine outdated-software warnings convincingly
- Use a dedicated browser profile for PayPal only, which reduces the risk of cross-site malware exposure
- Install a reputable browser extension that blocks malicious sites and pop-ups
- Run a malware scan immediately if you downloaded a file from a PayPal-branded update pop-up
- Enable PayPal's one-time login verification by email to detect any new sign-in attempts
How to report it
- Report the malicious website to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- Forward any related phishing emails to [email protected]
- File a report with the FTC at reportfraud.ftc.gov
- Report to IC3.gov (US) or Action Fraud 0300 123 2040 (UK)
- If credentials were captured, change your PayPal password and linked email password immediately
Frequently asked questions
How does form-stealer malware work without me noticing?
Form-stealer malware hooks into your browser's internal event system to capture text entered into web forms before it is submitted. From the user's perspective, the PayPal login works normally — the malware acts invisibly as a silent interceptor.
Does running antivirus software protect against this type of malware?
Modern antivirus software can detect many forms of form-stealing malware, but some variants use obfuscation techniques to evade detection. Keeping antivirus definitions updated and avoiding running unknown executables from websites are the best combined defences.
If I already ran the download, what should I do?
Disconnect from the internet, run a full malware scan using up-to-date security software, and change your PayPal password and linked email password from a clean device. Contact PayPal support to flag potential account compromise and review recent transaction history.