Back to Learning CenterSecurity

Why am I getting fake payment confirmation emails?

By Samuel ChenardJuly 16, 20267 min read
Why am I getting fake payment confirmation emails?

You are getting fake payment confirmation emails because scammers send fake receipts on purpose: the "charge" you never made is the bait. The goal is to panic you into calling a support number they control or clicking a link to "cancel" the order, at which point they steal your login, card details, or remote access to your device. Some of these messages are pure spoofs, but the most convincing ones are real invoices sent through a genuine service like PayPal, so they land in your inbox looking completely authentic.

Quick Takeaways

  • A fake payment confirmation is phishing: it invents a charge to make you react before you think.
  • The email almost always pushes you toward a phone number to call or a link to "dispute" or "cancel" — that is the trap.
  • The most dangerous versions are genuine invoices sent through real payment platforms, so they pass every authentication check.
  • Never call the number in the email; log in to the service directly or use the number on the back of your card.
  • A real charge shows up in your bank or account activity — a fake one only exists inside the email.
  • Because many of these emails are technically legitimate, DMARC alone cannot block them; recognizing the pattern is the real defense.

What is a fake payment confirmation email?

A fake payment confirmation is a phishing message dressed up as a receipt, order confirmation, or invoice. It tells you that money left your account — a $499 antivirus renewal, a $780 electronics order, a crypto purchase you never authorized — and it counts on that jolt of "wait, I didn't buy this" to override your caution.

The message is engineered to create urgency and then hand you a fast way to act on it. That fast way is the attack. Depending on the campaign, the email steers you toward calling a "billing support" line, clicking a button to reverse the transaction, or replying with account details to "verify" your identity. Every one of those paths leads to the scammer, not the company being impersonated.

This tactic overlaps with business email compromise and classic phishing, but its signature is the fake transaction. Where a normal phishing email says "your account is locked," a payment-confirmation scam says "you just spent money" — a threat that feels more concrete and harder to ignore.

Why do these emails look so convincing?

Because many of them are real emails from real companies. Attackers discovered they don't need to spoof a brand if they can borrow its infrastructure.

On PayPal, for example, a scammer can create an account and send you a genuine invoice or money request for a fake purchase. That invoice is generated and delivered by PayPal's own servers, so it arrives from a legitimate PayPal address and passes SPF, DKIM, and DMARC. The authentication result only proves the mail really came from PayPal's systems — it says nothing about whether the underlying request is honest. PayPal's own guidance is blunt about the fix: it will never ask you to call a number from an invoice note, so log in to your account directly to check whether anything is actually owed.

This is the same blind spot behind why phishing emails pass SPF and DKIM: authentication confirms the sender, not the sender's intentions. When the confirmation email is a spoof rather than a real invoice, DMARC can stop it — but when it is a genuine invoice weaponized against you, no email-authentication check will flag it, because nothing about the delivery is forged.

What are scammers trying to get me to do?

Every fake payment confirmation ends in one of a few asks. Learn the endings and the emails stop working on you.

  • Call the fake number. This is "callback phishing." There is no malicious link to scan, just a phone number for a "fraud department." The person who answers will walk you through cancelling the charge — a process that conveniently requires your card number, your online banking login, or installing remote-access software so they can "help."
  • Click to dispute or cancel. The button leads to a lookalike login page that harvests your credentials the moment you type them, much like the fake sites behind pharming.
  • Open the attachment. A "receipt.pdf" or "invoice.html" can carry malware or open a credential-stealing form hosted inside the file.
  • Reply with details. Some low-effort versions simply ask you to confirm account information by email so they can "reverse the transaction."
The common thread is that the company being impersonated never actually needs any of this. A real refund or dispute happens inside your account, never through a number or link the email hands you.

How do I tell a fake confirmation from a real one?

Work from the charge, not the email. A real transaction leaves a trail everywhere except your inbox; a fake one only exists in the message.

  • Check the source of truth. Open the app or website yourself — typed from memory or a bookmark, never a link in the email — and look at your order history or bank activity. No charge there means no charge.
  • Distrust the phone number. Legitimate receipts don't demand an urgent phone call. If you want to verify, use the number printed on your card or the company's official site.
  • Read the tone. Countdown timers, "call within 24 hours," and threats of a non-refundable charge are pressure tactics, not customer service.
  • Inspect names and amounts. Odd vendor names, mismatched currencies, or a product you'd never buy are all tells — though a polished scam may get these right, so never rely on them alone.
  • Hover before clicking. A "PayPal" or "Amazon" button pointing at an unrelated domain or a shortened URL is a red flag. When in doubt, don't click at all.
For a broader checklist that applies beyond receipts, see how to spot fake emails.

Common issues with fake payment confirmation emails

The email passed all the spam and security checks — how is that possible?

Because it may not be spoofed at all. When a scammer sends a real invoice through a legitimate platform, the message genuinely originates from that platform and clears every authentication filter. Security tools verify who sent the mail, not whether the request is honest. That gap is exactly why the human check — "is there really a charge?" — matters more than the technical one here. Compare this with true email spoofing, which authentication is built to catch.

I already called the number — what now?

Assume the call was the attack. If you shared card or banking details, contact your bank using the number on your card and freeze or reissue the card. If you installed any software the "agent" asked for, disconnect the device from the internet, run a full anti-malware scan, and change passwords from a different, clean device. Enable multi-factor authentication on the affected accounts if it isn't already on.

I keep getting these even after marking them as spam

Report each one to the impersonated company (PayPal, Amazon, and most banks have a dedicated phishing address) and to your mail provider so their filters learn the pattern. Marking as spam trains your own inbox, but reporting to the brand helps them shut down the sending account behind the campaign.

Frequently asked questions

Are fake payment confirmations dangerous if I don't click anything? On their own, no — an unopened scam email can't hurt you. The danger is entirely in the response: calling the number, clicking the link, or opening the attachment. Delete it and you're done.

Why did I get one for a service I don't even use? These campaigns are sent in bulk to huge address lists, so most recipients have no relationship with the brand being impersonated. Getting a "renewal" notice for software you never bought is a strong sign it's a scam, not a billing error.

Can spam filters ever stop these completely? Not reliably, especially the versions sent as genuine invoices, because there is nothing technically wrong with the message. Filters catch many spoofed copies, but the legitimate-but-weaponized ones need a human to recognize the pattern.

Should I reply to ask them to stop? No. Replying confirms your address is active and monitored, which usually means more mail, not less. Report and delete instead.

Fake payment confirmations thrive in the gap between "authenticated" and "trustworthy." Palisade helps close the part of that gap you can control: it monitors your SPF, DKIM, and DMARC records and moves you to enforcement so attackers can't send spoofed receipts as your own domain to your staff and customers. See where your domain stands with a free Email Security Score scan.

Share this article

Samuel Chenard

Written by

Samuel Chenard

CEO & Co-Founder, Palisade

Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.

More from Samuel

Related articles