Accidental Email from Paypal is Not a Paypal Phishing Email

Accidental Email from Paypal is Not a Paypal Phishing Email
Share the knowledge

That unexpected, unrequested email from Paypal that you may have received this week is not a Paypal phishing email. As best as anyone can tell it was an accidental email triggered by Paypal, but not a Paypal phishing email. The email starts out by thanking you for contacting Paypal customer service, and if you know that you did not contact Paypal customer service, then you are right to suspect that it is a Paypal phishing email. In fact you may be looking to report it as phishing.

However, as we explain below, in this case it’s legitimately from Paypal, which means that it was just a bonehead accident. (Of course, sometimes email that you receive that is legitimately ‘from’ Paypal is still a scam, such as the Paypal invoice scam.) Now, whether an institution that is responsible for billions of its users’ dollars should be making bonehead moves is an entirely different matter.

And the fact that there has been no “Oops, please disregard that previous email, it’s really from us so don’t worry about it being a phishing email” follow-up also seems very poor form to us. But at least you can put to rest concerns that you are being phished. This time.

So is This a Paypal Phishing Email?

Below is the accidental email that Paypal sent out. Now, the first thing to notice is that John did not contact Paypal customer service. Which is generally a pretty good indicator that an out-of-the-blue email like this from Paypal is a phishing effort. (We explain below the text of the email how we know that this email is actually from Paypal, and not a Paypal phishing email.)

Dear John,

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

Thank you for contacting PayPal Customer Service.

In an effort to assist you as quickly and efficiently as possible, please direct all customer service inquires through our website.

1. Log in to your PayPal account.
2. Click on Help & Contact at the bottom of any PayPal web page.

This will give you further information on how to “Call us” or send an email via “Message Center”.

Alternatively, you can log in to your PayPal account and choose “Resolve a problem in our Resolution Center”, which will take you to PayPal’s central hub for buyer and seller resolution and limitation information. You will find information about the limitation and steps to remove it below:

Log in to your account.
Click Resolution Center. If you have a Business account, click More and then Resolution Center.
Click Go to Account Limitations.
Next to each step required to remove the limitation, click Resolve and follow the steps to provide information.

If you prefer to contact us, please log into your account and click Contact or Help at the bottom of the page.


Copyright © 1999-2022 PayPal. All rights reserved.

How We Know It’s Not a Paypal Phishing Email

First, here is a screenshot of the email. There is only one link in the email, and it actually does go to the Paypal resolution center.

Accidental Email from Paypal is Not a Paypal Phishing Email

Of course, that alone is not proof, as there are lots of phishing emails that include legitimate links to the entity that they are spoofing, as they try to get you another way, such as calling them or replying to the email.

And that’s where the email headers and some sleuthing come in. We are not going to include the entire full set of email headers from the email here, as a lot of it is irrelevant to our discussion, but here are the relevant headers:

ppkanana-us-kana Automatic reply to PayPal email SAXK (KMM479701764V24830L0KM)
To: “John Doe” []
Return-Path: Return-Path: Authentication-Results: dkim=pass header.s=pp-dkim1 header.b=esHKWae7; spf=pass ( domain of designates as permitted sender); dmarc=pass (policy=reject)
Dkim-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=pp-dkim1; t=1668024870; x=1699560870; h=date:from:to:message-id:subject:mime-version; bh=jCwkQMYCG71335Pw4XdyCvI3x6viu/8koBVTGbeN428=; b=esHKWae7Q3G41Q448CTtPME1Rz0mo8xKtMvQADqcX8ed4nWwl+mfWm98 A+Jdj6lR/mosQOaXrqjxIlHeaGh9mZvgGL4vEl8knV+swmh/9RtJkVEcE Ex9o9AGX9MRv7BbXVmsvf1JqPHL0X8yiqBd3wuQzJwKE8MWHgCau3fieg LSuaMghStzKafkcz8KRj4R0JXZCqr2G7amza0Piz3txBXZ6mZVFZnTwUm O1Obc+AwyQS+Prq6gZVqPDet44/j6eI5W1TzwYf/S5lGD0lf0jJk2poFS bfjVeMrbgw2EAxN2COIJ9hdR6o/82tQ7XqUdFyoGwnJc9L7HLFLPjYBm0 A==;
[]; R_SPF_ALLOW(-0.20)[+ip4:]; R_DKIM_ALLOW(-0.20); MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MX_GOOD(-0.01)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:1449, ipnet:, country:US]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; NEURAL_HAM(-0.00)[-1.000]; TO_DN_ALL(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00); TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]
Content-Type: multipart/alternative; boundary=”—-=_Part_75892_1074546404.1668024862824″
Delivered-To: jdoe
(envelope-from ) for [jdoe]; Wed, 09 Nov 2022 20:14:33 +0000
Received: from ( []) by (8.15.2/8.15.2/Debian-22) with ESMTPS id 2A9KEOaB3582360 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for []; Wed, 9 Nov 2022 20:14:30 GMT
Received: from ([]) by with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 09 Nov 2022 20:14:23 +0000
Received: from (unknown []) by with smtp (TLS: TLSv1/SSLv3,128bits,ECDHE-RSA-AES128-GCM-SHA256) id 1b28_0cf8_58df61bf_8e2c_4837_9ba1_f5c5cfc2b9a7; Wed, 09 Nov 2022 20:14:22 +0000
Received: from ([]) by with ESMTP/TLS/ECDHE-RSA-AES128-SHA; 09 Nov 2022 20:14:22 +0000

Here’s what’s important to note from the these headers:

The headers tell us that the email actually did originate from Paypal, and passed all authentication checks. What’s more, a lookup for the IP address that passed the email from Paypal to ( belongs to Paypal:

NetRange: –
OrgName: PayPal, Inc.
Address: 2211 N. First St.
City: San Jose
StateProv: CA
PostalCode: 95131
Country: US
RegDate: 2001-08-17
Updated: 2019-04-10

Of course, and as always, if you suspect that a Paypal email is phishing or a scam, or even if you’re just not sure, you should report it. Paypal explains how to do that for various suspect things here.

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link


Share the knowledge

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.