PayPal Account Takeover via Credential Stuffing and Fake Verification
Attackers use email and password combinations from previous data breaches to attempt automated PayPal logins, then phone victims claiming to be PayPal security to harvest the OTP needed to complete the takeover — blending technical and social-engineering techniques.
Part of: Account Takeover Scams
Last reviewed: 7 June 2026
Credential stuffing is an automated attack where username and password combinations harvested from breaches at other websites are tried against a target platform — in this case PayPal. Because many people reuse passwords across multiple services, a significant fraction of stuffed credentials result in successful logins. PayPal is a high-priority target for this technique because of the potential for direct financial gain.
When automated stuffing succeeds at the credential stage but is blocked by PayPal's OTP requirement, the attacker pivots to social engineering. The victim receives a call from 'PayPal's fraud prevention team' warning that their account has been accessed by a suspicious third party from an unusual location. The fabricated story is both alarming and convenient — it explains why the OTP just arrived and why the victim should share it.
This combined attack (technical stuffing followed by social-engineering OTP capture) is more effective than either technique alone. The technical stage provides real account data the fraudster can reference (balance, recent transactions), making the subsequent call more convincing.
How this scam works on the PayPal brand
PayPal detects credential-stuffing attempts and applies friction — OTP challenges, CAPTCHA, and rate limiting. However, some attempts succeed, especially with fresh credential data. The victim typically has no knowledge that their credentials were tested until the OTP arrives on their phone without any action on their part.
When the attacker receives an error requiring an OTP, they immediately call the victim under the pretence of warning about the attack they are themselves conducting. They know the victim's name, the balance, and possibly a recent transaction — information drawn from either a partial session or from breach data — all of which they use to seem legitimate.
Once the OTP is shared, the attacker completes the login, changes the registered phone number to prevent future OTPs reaching the victim, and initiates the fastest available withdrawal — typically to a linked bank account or a PayPal balance transfer to another account.
Common red flags
- An OTP arrives from PayPal without you attempting a login
- A call immediately after the OTP, claiming to be PayPal fraud prevention
- The caller references your PayPal balance, name, or a recent transaction to establish credibility
- You are asked to read the OTP 'to confirm it was sent to the right number'
- The call urgency is framed around stopping a third-party attacker — but the real attacker is the caller
- After the call, you lose access to your PayPal account
- You receive a notification that your registered phone number was changed — the attacker is locking you out
How to protect yourself
- Use a unique password for PayPal not used on any other site — this prevents credential stuffing
- Enable two-factor authentication via an authenticator app rather than SMS for stronger OTP protection
- Never share a PayPal OTP with any caller, even one who accurately describes your account
- If an unexpected OTP arrives, change your PayPal password immediately without sharing the code
- Use a password manager to generate and store a distinct PayPal password
- Review your PayPal login history in Security Settings regularly for unrecognised IP addresses
- Enable biometric login on the PayPal app for an additional device-side protection layer
How to report it
- Report to [email protected] with details of the call and OTP request
- If the account was accessed, contact PayPal through the Resolution Center immediately
- File a complaint with the FTC at reportfraud.ftc.gov
- Report the suspicious call to the FCC at consumercomplaints.fcc.gov
- If money was stolen, file a report with the FBI's IC3 at ic3.gov
Frequently asked questions
What is credential stuffing and how does it target PayPal users?
Credential stuffing is an automated process that tests username and password pairs from data breaches against a target service. If you have used the same password on another site that was breached, attackers may be able to access your PayPal account with those credentials.
If I receive an unexpected PayPal OTP, what does it mean?
It means someone has your PayPal login credentials and is attempting to complete a login. Do not share the code. Go to paypal.com directly and change your password immediately. Enable two-factor authentication if you have not already.
How can I check if my email was involved in a data breach?
Use a service such as haveibeenpwned.com to check whether your email address appears in known breach datasets. If it does, change your password on any service where you used the same credentials, prioritising financial accounts like PayPal.