How to help protect your business from phishing and spoofing

It's not always easy to spot a scammer, especially when they disguise themselves as a reputable person or partner.

Fraudsters will use fake emails and websites, send text messages or make phone calls, so their communications look, feel, and sound reputable as they ask for money or financial information. But while their message is fake, the cash they steal from you is very real. That makes protecting your business against phishing or spoofing attacks one of the top risk management steps you can take.

If you suspect fraud or a security issue associated with your PayPal account, visit our Security Center for help. Want to reduce your risk of phishing and spoofing? Keep reading.

What is phishing?

Phishing is a type of online fraud that attempts to trick you into revealing sensitive information such as your login credentials, credit card information, or other sensitive data.

For instance, a phishing attack may use social engineering tactics such as creating a sense of urgency to get someone to take action, such as clicking a link that goes to a spoofed website or downloads malicious software.

To defend against phishing, watch out for messages that ask for personal information like credit or debit card numbers, bank account information, driver's license number, passwords, or your full name. And when you suspect an email is fake, don't open it, reply to it, click on any links, or download any attachments.

Tip: Use caution if you get an unexpected payment notification from PayPal via email. PayPal will never ask for sensitive information in an email. Always verify every payment notification by logging in to your account and locating the corresponding transaction. All transactions (even pending ones) sent by you, or to you, will show up in your transaction history.

What is spoofing?

Spoofing is when a fraudster disguises their email address, name, phone number, URL, or other identifying information to make you think you're interacting with someone else.

Phishing attacks often use spoofing to appear to be from a legitimate organization. Oftentimes, it comes in the form of an email or text message from someone you're likely to trust, such as your bank. It then asks you to click a link to take action. For example, you may be prompted to update information or check on a transaction. However, the link actually directs to a fake website that collects your login information, which the fraudsters then use to access your account.

What is spear phishing?

Spear phishing is a targeted form of phishing. Rather than send out phishing emails to your whole staff, a fraudster will instead focus on specific individuals so they can tailor their approach.

For example, a spear phishing attack might send a fake email to your accountant that appears to come from the business owner. The email might ask for a login password, or perhaps include an invoice with instructions to pay it immediately. Since it appears to be coming from the boss, the accounting department may be more likely to fall for the scam, especially if it includes personalized information that can be easily gleaned from social media or an online search.

What is whaling?

Whaling is a subset of spear phishing that targets high-level people in your organization, such as the owner, CEO, CFO, or other senior executives.

An example of a whaling attack may be someone impersonating the CEO, asking the CFO for sensitive login information or trade secret information. Because executives are busy and often respond to emails on their phone between meetings, they may not give the email the scrutiny it deserves.

To defend against spear phishing and whaling attacks, train employees with access to sensitive information to be especially on guard. Any urgent or unusual requests should be followed up with the person requesting the information.

What is smishing?

Smishing attacks take place through SMS messaging. An example of smishing would be getting a text from your bank asking you to review a transaction by clicking a link, which then sends you to a spoofed website that harvests your login information.

To defend against smishing, don't click a link that comes from an unidentified source or number. Even if a link appears to come from your bank or other trusted source, don't click the link. If you think the request may be legitimate, contact the purported sender directly through a known phone number to confirm.

What is vishing?

Fake voicemails, also known as vishing, are when a scammer uses an automated system to make voice calls. Typically, the calls mention an “urgent account problem” and ask you to share account information to remedy it.

An example of a vishing attempt is if you receive a call about a possible fraudulent transaction on your account that asks you to enter your PIN to hear the transaction details.

To defend against vishing, never provide any account information unless you initiate the phone call. Caller IDs are also easily masked, so don't rely on them to verify the call is authentic.

What is search engine phishing?

With this phishing attack, fraudsters will create fake websites that copy a financial institution or retailer, and then use search engine optimization to trick a search engine into displaying the fake site instead of the real site in their search results.

For example, an employee searching for the company's bank might get the fake site instead. Once they try to enter their login information into the fake site, the scammers capture that information and use it to login into the searcher's real account.

Protect against search engine phishing by teaching employees to type in the website URL directly instead of clicking on a search result.

How to help protect yourself from phishing and spoofing

If you think you’ve clicked a bad link, close out of it immediately, run an antivirus check, and then change your password and security questions. Remember, it’s important you run an antivirus check first because you might’ve gotten malware from clicking the link, and the malware can still pick up your new password.

After you do that, contact your bank or card issuer and explain the situation. Make sure to review your transaction history over the next few weeks to ensure there are no unauthorized transactions on your account, and if there are, report them immediately.

Seems phishy?

If you receive an email from PayPal that you believe could be phishing, don't click any links, open any attachments, or respond in any way. Instead, simply forward the email to To investigate the email just as you received it, we ask that you don't change the subject line or send the suspicious email as an attachment. After forwarding it, delete the email from your account so that there's no further threat to you.

How do you know when the communication you've received is actually from PayPal?

Be assured that PayPal will never send a request for information via email. Instead, we direct account holders to log in to their account and visit the Resolution Center. You know you're working on the real PayPal site when the URL is

Additional fraud prevention tools

To help prevent a cyber criminal from using phished information in a transaction with your business, the following tools are available through PayPal and other fraud management vendors:

  • Address Verification Service (AVS). Use AVS to verify if the billing address matches the one the card issuer has on file.
  • Card Security Code (CSC). The CSC is the three- or four-digit number located on the back of the card that confirms the customer has the card in their possession.
  • Bank Identification Number (BIN). The first six numbers listed on a card are known as the BIN and identify the financial institution that issued the card.
  • IP geolocation. IP geolocation pinpoints the location of the computer used for the transaction. Checking the geolocation details against the billing and shipping address your customer provided can flag possibly fraudulent transactions.

No matter how vigilant you are, you will inevitably let your guard down and be tempted to click a questionable link. To help protect you while you browse (and take away some of the stress), there are several site safety rating tools1 available:


These services collect reports about suspicious sites and rank them. They can't catch every bad link, but they can be a good first line of defense.

If you're running an online business, keep in mind that there are other types of fraud you need to watch for. Check out fraud prevention best practices, common ecommerce scams to avoid, and more risk management services.

Was this content helpful?

Related content

Sign Up for the PayPal Bootcamp

In partnership with three expert business owners, the PayPal Bootcamp includes practical checklists and a short video loaded with tips to help take your business to the next level.

*Required fields.

We use cookies to improve your experience on our site. May we use marketing cookies to show you personalized ads? Manage all cookies