Is the PayPal invoice email real?

The invoice itself is often real — scammers send actual PayPal invoices through PayPal's system, which is why the email passes spam filters and looks legitimate. The line that says 'call this number if you didn't authorize this charge' is the scam. PayPal never asks customers to call a phone number printed on an invoice.

What happens if I call the number?

The number routes to a scam call center. They will ask you to install remote-desktop software like AnyDesk or TeamViewer to 'process the refund,' then convince you they accidentally sent too much money and need you to wire or Zelle the difference back.

How do I dispute a real PayPal charge?

Open paypal.com directly in your browser (do not click any link in the email). Go to Activity. If the charge is there and you did not authorize it, dispute it from inside PayPal. Forward the phishing email to phishing@paypal.com and delete it.

How does Safety Intercept help?

The Gmail scanner flags fake invoice phrasing and 'call to dispute' wording. If you later open PayPal to send the scammer money, the PayPal interceptor sees the memo and the prior Gmail flag escalates the risk via cross-layer correlation, blocking the payment with a warning.

PayPal Invoice Scam: The "Call to Dispute" Trap

You opened your inbox and there it was — a real-looking PayPal invoice for $649 of Norton antivirus you never bought, or a Bitcoin purchase, or a $1,200 gift card. The email looks legitimate because it is legitimate: scammers send actual PayPal invoices through PayPal's own system. The trap is the helpful phone number at the bottom of the invoice — "if you did not authorize this charge, call (xxx) xxx-xxxx." Calling that number is what ends with money gone.

PayPal never asks you to call a phone number printed inside an invoice. Real disputes happen inside PayPal, by opening paypal.com directly and clicking Activity. If a phone number is the only way the email tells you to resolve the issue, the email is the scam.

Why the email passes spam filters

The scammer creates a free PayPal business account and sends you a real invoice for a made-up product. PayPal's mail servers send it, so SPF, DKIM, and DMARC all pass. Gmail and Outlook deliver it straight to your inbox. The only fraudulent thing about the email is the support phone number written into the "Notes to Customer" field and the description of the goods.

What happens if you call

A friendly "PayPal support agent" answers. They walk you through "canceling" the charge. They ask you to install AnyDesk or TeamViewer "to access the refund tool on your end." Once they have remote control of your computer, the script proceeds:

They show you a fake refund form and ask you to type the amount — say, $649.
While your view is blanked or distracted, they edit the number so it looks like $6,490 was refunded.
They "panic" and tell you they accidentally added a zero. The bank will fire them. Can you please send the extra $5,841 back, by Zelle or wire?
You send the money. The original refund never existed — your account balance hasn't moved. They keep everything you wired.

Variants involve gift cards, crypto purchases, or asking you to "verify possession" of your bank account by Zelling a stranger.

Red flags

An invoice for something you didn't buy, from a vendor name you don't recognize.
A phone number prominently inside the invoice for "support" or "disputes."
Notes that include the word "subscription auto-renewed" or "anti-virus protection."
Any request for remote-desktop access (AnyDesk, TeamViewer, QuickAssist).
Any request to send money back via Zelle, wire, or gift cards.

What to do right now

Do not call the number on the invoice.
Open paypal.com directly in your browser (type the URL — don't click the email link). Go to Activity.
If the charge is there and you did not authorize it, click Dispute from inside PayPal.
Forward the phishing email to phishing@paypal.com, then delete it.
If you already called and gave remote access: disconnect the internet, run a malware scan, change your passwords from a different device, and call your bank.

Try the free scam-checker

Paste the invoice text — or the phone conversation if you already called — and the checker will tell you if it matches the pattern.

Install the extension

How Safety Intercept stops it

Safety Intercept's Gmail scanner reads the body of suspicious invoices and flags the "call to dispute" pattern, fake support numbers, and urgency phrasing. If the scammer talks you into opening PayPal afterward, the PayPal interceptor reads the memo at the Send step — and because the Gmail flag is fresh, the cross-layer correlator pushes the risk score to critical automatically. You get a Shield warning before the payment goes through, and the detection event is logged so adult children can see what their parent almost sent.

Install Safety Intercept — Free

PayPal Invoice Scam: The "Call to Dispute" Trap

Why the email passes spam filters

What happens if you call

Red flags

What to do right now

Try the free scam-checker

How Safety Intercept stops it

Related scam guides