Beware this PayPal invoice scam.Getty ImagesUpdate, March 9, 2025: This story, originally published March 8, has been updated with in-depth mitigation advice from PayPal regarding attack attempts and tactics. As Google starts rolling out AI-powered protections to save Android users from messaging and phone call scams, and PayPal makes a major move to improve login security by removing the need for 2FA codes, it seems that the scammers and hackers are reverting to tried and tested methods to evade protections and attack using email. Heres what you need to know and do.PayPal Scammers Turn Back The Clock To Bypass Email Security ProtectionsNot all phishing attacks are driven by AI, sophisticated in nature, or even truly hard to detect. One such case has been highlighted by researchers at Malwarebytes which, nonetheless, remains dangerous and could cost you dearly if you fall victim. PayPal scammers are using an old Docusign trick to enhance the trustworthiness of their phishing emails, Pieter Arntz, a malware intelligence researcher at Malwarebytes, warned; To pull this off, the phishers set up a Docusign account and then use the templates provided by Docusign to send out legitimate looking invoices from PayPal.Because the documents actually come from Docusign, they bypass multiple email security filters and protections. Something that makes them particularly dangerous despite being an old attack methodology. Docusign said that its team investigates and closes suspicious accounts within 24 hours of any such activity being detected or reported and once an account is closed, all envelopes sent from the account are no longer accessible by the recipient or sender. PayPal told me that PayPal takes seriously our efforts to protect customers from evolving scams and fraud activity. We encourage customers to always remain mindful online and to visit PayPal.com for additional tips on how to protect themselves.PayPal Attack Red Flags To Watch ForThe March 4 Malwarebytes report, confirmed that there are many red flags associated with this particular PayPal attack campaign that make it easy to spot. If you know what you are looking for. The emails appear to be from Docusign, Arntz said, but are actually from scammers using a fake Gmail address. That alone should set the alarm bells ringing as PayPal would obviously not be sending you a critical security notification using a throwaway Gmail address. Also, it seems weird that Docusign has been used to send a document that doesnt require a signature, Arntz continued; Looking deeper, there are some more red flags. The To address does not belong to the receiver. It doesnt even exist.This recent Docusign scam relies on Application Programming Interfaces to bypass email security, in order to steal login credentials, Jamie Beckland, chief product officer at APIContext, warned; While Docusign says their system identifies bad actors, that is no help if a user shares their email password inadvertently. Beckland said that all API owners should monitor APIs for suspicious behavior, which looks different than suspicious website behavior, and test APIs for conformance against security standards in order to stop these exploits before they start."Mitigating The PayPal Docusign AttackMalwarebytes recommended that, if you have received one of these emails or something similar using a Docusign lure, that you can verify if its genuine by heading directly to Docusign.com where you should click on the Access Documents link in the upper right-hand corner. From here, you can enter the document security code that will be displayed in the email. If you get an error message, Arntz said, that means the document was removed or never even existed.Checking your PayPal account directly, not using any links in an email or document you have been sent, to look for suspicious transactions of the type that such phishing campaigns claim, is highly recommended as this can stop you going any further before you even start.Furthermore, you should report any unauthorized PayPal payment linked to Docusign activity that you have cause to believe is fraudulent to both PayPal and Docusign.How PayPal Protects Users From Scams As Attacks EvolveThe truth of the matter is that phishing attempts come in many forms, as already mentioned, and are far from being a PayPal specific issue. That said, PayPal uses a combination of manual investigations and sophisticated technologies to protect users from such attacks, including taking proactive actions like limiting scam accounts or declining risky transactions.In conversation with a PayPal spokesperson who didnt want to be quoted directly, I learned that PayPal is constantly evolving its fraud detection tools, including adding fraud reminder notices with advice for customers on all global invoice requests and peer-to-peer money requests. If people receive any unexpected, suspicious invoices or payment requests, the PayPal advice remains the same: do not pay it, do not respond to it, do not share any personal information.Specifically, PayPal customers should:Not call any phone numbers, open attachments, or click on any links within suspicious invoice or money request messages.Change their account password and contact PayPal as well as their financial institution immediately if they think that have clicked any links in such a message.Enable two-factor authentication as a matter of course, or use a Passkey which will serve as both a secure login method and as a second authentication factor.Flag any suspicious messages directly to email providers.Contact law enforcement to report any scams. PayPal will then assist in the investigation if asked.PayPal has said that it partners with leading consumer protection institutions, such as the Better Business Bureau, American Association of Retired Persons, Federal Trade Commission and the Aspen Institute. PayPal has also launched a Smarter Than Scams campaign with the Financial Technology Association to raise awareness of the latest common fraud trends.