That "Pending PayPal Charge" Email Is a Scam — Even Though It Really Came From PayPal

If an email recently landed in your inbox with a subject line like "Pending charge of USD 987.90 for account activation. Questions? Call (855) 629-1161" — don't call that number. Don't click anything. And whatever you do, don't panic-dial to "stop the charge."

You're being targeted by one of the cleverest scams going right now, and the reason it works is uncomfortable: the email genuinely came from PayPal.

The trick is in the subject line, not the email

When most people think "phishing email," they picture sketchy senders, broken English, and links to weird domains. This scam is the opposite. The email passes every authenticity check — SPF, DKIM, DMARC, all green. It comes from PayPal's actual mail servers. The fonts are right. The footer is right. The unsubscribe link works. If you forwarded it to a security expert and asked "is this really from PayPal?" they'd have to say yes.

So how is it a scam?

Scammers have figured out that PayPal lets anyone send small amounts of money to anyone else, and that PayPal will dutifully email the recipient a notification. The scammer sends you a payout of, say, one Hungarian forint — about a quarter of a cent. PayPal's system then automatically generates and sends you a real, legitimate, fully-authenticated email confirming the transaction.

Here's the catch: the email's subject line is whatever the scammer typed when they set up the payout. PayPal doesn't sanitize it. So they write something terrifying like "Pending charge of USD 987.90 — call this number with questions" and PayPal's servers cheerfully deliver that subject line straight to your inbox, wrapped in a perfectly legitimate-looking notification.

The actual transaction in the email body is for 1 forint. There is no $987.90 charge. There never was. But by the time most people read carefully enough to notice that, they've already dialed the number.

What happens if you call

The 855 number does not connect you to PayPal. It connects you to a call center full of scammers who have been waiting for someone exactly like you — alarmed, in a hurry, ready to do whatever it takes to stop a fraudulent charge.

The script varies, but it usually goes something like this. The "agent" confirms your concern, looks up your "account," and tells you the charge is real but can be reversed. To do the reversal, they need to verify your identity and connect to your computer using a remote-access tool — AnyDesk, TeamViewer, something like that. Once you install it and give them the code, they have your screen.

From there, the playbook branches. Sometimes they pretend to refund you, "accidentally" transfer too much, and tearfully beg you to send back the difference in gift cards before their boss notices and fires them. Sometimes they open your banking app while screen-sharing and watch you type your password. Sometimes they install something nasty and call you back a week later with a new angle.

In every version, the goal is the same: get money out of you, or get credentials they can use to take it later. People have lost their entire retirement savings to this exact scam. It is not hypothetical.

How to spot it

A few tells, in rough order of usefulness:

The phone number is in the subject line. Real PayPal notifications never put a customer service number in the subject. They link you back to your account.

The amount and the urgency don't match anything you did. You didn't sign up for a service. You don't have a pending account activation. The email is reacting to something that didn't happen.

When you scroll through the email body, the actual transaction amount is tiny, foreign, or nonsensical — one forint, a few rupees, something that doesn't relate to the scary number in the subject.

The email asks you to call rather than click. That's deliberate. Phone scammers are far more effective than written ones because they can adapt in real time, apply social pressure, and keep you off-balance.

What to actually do

If you get one of these, the answer is boring and it works every time:

Don't call the number. Don't reply. Don't click links in the email — not even the unsubscribe link. Open a fresh browser tab, type paypal.com yourself, and log into your account. Check your activity. You'll see either nothing, or a tiny incoming payment from a stranger that you can ignore.

Then forward the original email as an attachment to phishing@paypal.com and delete it. If you want to go a step further, report the phone number to the FTC at reportfraud.ftc.gov — every report makes it slightly harder for these operations to keep running.

And if you've already called? Don't beat yourself up — these scams are designed by professionals to fool smart people. Hang up, run a malware scan if you installed anything they asked you to install, change your PayPal and bank passwords from a different device, and call your bank's real fraud line (the number on the back of your card) to flag your accounts. Move fast, but you don't need to panic.

The bigger lesson

The old advice — "check the sender's address," "look for typos," "hover over links" — is no longer enough. Scammers have learned to launder their messages through real, trusted services so that every traditional red flag turns green. The sender is real. The links are real. The branding is real. Only the story is fake, and the story lives in places your spam filter doesn't look.

The defense, increasingly, is a single habit: when an email tells you something alarming about an account, don't respond to the email. Go to the service directly, on your own, the way you always do. If something is really wrong, you'll see it there. If you don't see it there, the email was lying.

That habit alone would have stopped almost every successful phishing scam of the last decade. It will stop this one too.

Stay safe out there.