Fake PayPal Subscription Renewal Phishing
Scammers send fake PayPal billing notices claiming that a subscription or service fee will be automatically charged and inviting recipients to cancel via a link — leading to a credential-harvesting page that captures PayPal login details.
Part of: Fake Subscription Renewal Phishing
Last reviewed: 7 June 2026
PayPal is widely used to process subscription payments for software, streaming services, and online tools. This means many PayPal account holders receive genuine subscription-renewal notifications regularly — and the format of these notifications is easily mimicked. Criminals send fake renewal alerts for services the recipient may or may not use, knowing that even an uncertain recollection of a subscription will motivate a click.
The fake renewal email claims that a payment of a specific amount — often in the range charged by common software or streaming subscriptions — will be debited from the victim's PayPal account in the next 24 hours unless the subscription is cancelled. A 'Cancel Subscription' button links to a phishing page rather than the real PayPal.
The phishing page replicates PayPal's subscription-management interface. After the victim logs in to 'cancel', the attacker has their credentials and may simultaneously log in to the real PayPal account to drain the balance or change the linked bank account.
How this scam works on the PayPal brand
Real PayPal subscription renewals are managed through My Account > Payments > Manage Automatic Payments inside the PayPal dashboard. PayPal renewal emails come from @paypal.com and direct users only to paypal.com for any changes. If a victim logs in at paypal.com directly and sees no corresponding subscription in their automatic-payment settings, the renewal email was fake.
Fake renewal emails often name a plausible-but-unverifiable service — 'Premium Security Suite', 'Antivirus Pro Licence', or 'VPN Renewal' — chosen to be familiar enough to be credible but vague enough that the victim may not immediately remember whether they have such a subscription. The amount is often in the $200-$400 range to create sufficient financial urgency.
Some campaigns phone victims as a follow-up, claiming to be PayPal's cancellation department and offering to process the cancellation if the victim provides their account credentials over the phone. This combines the fake-renewal phishing approach with a support-call social-engineering layer.
Common red flags
- Renewal email from an address other than @paypal.com claiming a charge is imminent
- A 'Cancel Subscription' link that does not go to paypal.com
- Subscription described is one you do not clearly recognise
- Urgency: 'You have 24 hours to cancel or the payment will complete'
- A follow-up phone call from 'PayPal cancellation support'
- The renewal amount matches a well-known software or antivirus price rather than a subscription you recall setting up
- No corresponding subscription appears in My Account > Payments > Manage Automatic Payments on the real PayPal site
How to protect yourself
- Log in directly at paypal.com and check Manage Automatic Payments to see real active subscriptions
- Cancel any subscription through the PayPal interface directly — never via an email link
- Do not call the number in a renewal email — use the contact options at paypal.com if needed
- Enable PayPal transaction notifications to see real charges as they occur
- Verify email sender addresses carefully before acting on billing notifications
- Use a unique strong password for PayPal separate from other accounts
- Forward suspicious renewal emails to [email protected] before deleting them
How to report it
- Forward the phishing email to [email protected]
- Report through the PayPal Security Center at paypal.com
- File a complaint with the FTC at reportfraud.ftc.gov
- If credentials were entered, change your PayPal password immediately and review account activity
- Report the phishing domain to Google Safe Browsing
Frequently asked questions
How do I check what subscriptions are active on my PayPal?
Log in at paypal.com, go to Settings, then Payments, then Manage Automatic Payments. This lists every active subscription and billing agreement on your account. Anything not listed there is not being charged through PayPal.
Can someone charge my PayPal without me setting up a subscription?
Not through the legitimate PayPal subscription system. However, if an attacker gains access to your PayPal account, they could set up payments from it. The renewal email scam aims to harvest your credentials, not charge you directly — the charge threat is the bait.
Why do fake renewal emails reference antivirus and security software?
Security software subscriptions are common, and many people are unsure whether they have auto-renewing coverage. The antivirus angle also creates an ironic extra layer: the victim may click quickly to cancel what they think is fraudulent software billing, which is itself the fraud.