How Scammers Use Small Business Names to Send Fake PayPal Invoices

In Connecticut, a vintage furniture shop called Palomino Bazaar discovered its name on more than 200 fake PayPal invoices sent to people across the U.S. The owner, Kate Ferguson, wasn’t chasing payments—her business was inactive. But her inbox and phone lit up anyway: confused strangers, even a whole school district in Pennsylvania, asking about “their” bill.

The invoices looked real and demanded about a thousand dollars. Instead of a normal PayPal button, the message told recipients to call a phone number to “fix the problem.” That number belonged to the scammers. Kate reported the scam to the Better Business Bureau and closed the PayPal account in question. She suspects the email tied to that old account—using the same password as PayPal—was compromised. The fallout didn’t stop there. People began confusing the scam with her separate interior design company, Palomino Interiors, putting that brand’s reputation at risk for something she didn’t do. (source: ctinsider.com)

How the PayPal invoice scam works (from both sides)

When you’re the person who receives the invoice

You get what looks like a real PayPal invoice or money request. The note field is urgent: “Call now to cancel,” “Your account is compromised,” “Dispute within 24 hours.” But the phone number is the trap and if you call, the “agent” keeps you on the line and steers you into sharing card details, installing remote-access software, or sending a “cancellation” payment that goes straight to them.

What’s real vs. fake here?

The invoice format may be genuine (anyone can send you a PayPal money request if they know your email). The instructions are the scam. Real issues can be handled inside your PayPal account, no mystery phone number in the notes.

Related: PayPal Text Scams: How to Spot and Avoid Them

 When it’s your company’s name sending the invoices

There are two ways your brand gets pulled in:

1. Impersonation without access. Scammers use your business name/logo in the invoice or in a look-alike email. They never touch your accounts, they just borrow your credibility to make victims call their number.

Related: What Are Invoice Scams and How Small Business Can Stay Safe

2. Compromise with access. Scammers get into an old or weakly protected email/PayPal account (often through password reuse). From there, they can create legit-looking invoices or money requests using your actual PayPal profile and blast them to any address they can find—past customers, scraped lists, even random targets. The note field contains the same “call us” script, pointing to their phone bank.

Related: How to Prevent or Recover from A Business Email Compromise (BEC) Attack

What you’ll see on your side

A sudden spike in “Did you send this?” messages, angry calls, and PayPal activity you don’t recognize. If email was part of the breach, you may also find strange forwarding rules, login alerts from unfamiliar locations, or password-reset notices you didn’t start. The damage is time and trust. As Palomino Bazaar learned, blowback can spill into other ventures because people remember the name, not the nuance.

Your name makes the invoice believable. The phone number in the notes keeps the whole exchange off-platform and under their control. Even if targets don’t pay, many will call, and that’s where the con happens.

Related: How to Check If Your Business Is Affected by a Breach (And What to Do if It Is)

The 60-second check (do this every time)

Don’t click links and don’t call numbers in the email.
Always open a fresh tab, type paypal.com, sign in, and check Activity → Invoices / Money requests.

If the invoice appears and it’s bogus, decline it, block the sender, and forward the email to [email protected].

If nothing appears, it was a spoofed email. Delete and report it.

If you already called or clicked

Take a breath, then act:

• Change passwords for PayPal and the email account tied to it. Turn on two-step verification for both.
• If you shared card or bank details, call your bank/issuer and monitor transactions.
• If you installed anything or allowed screen-sharing, uninstall it and run a full security scan. Consider a clean reinstall if anything looks off.
• Keep evidence: invoice IDs, emails, caller numbers, times. File reports with PayPal and your national cybercrime channel. Add a case to BBB Scam Tracker to help others spot the pattern.

If scammers are using your company’s name to trick people

If you discover scammers are impersonating your business, take action immediately:

1. Tell people what’s happening. Post and pin a short alert on your website and social channels.

Could be something like: We’re aware of fake PayPal invoices using our name. We will never ask you to call a phone number to cancel a charge. Please sign in at paypal.com to review any requests, decline anything suspicious, and forward emails to [email protected]. If you have questions, contact us at [your real support email/phone].

2. Lock down old keys and doors

Close or secure inactive PayPal accounts. Remove former staff logins and old API keys. Make sure email, PayPal, and invoicing tools use unique, strong passwords and 2FA. If you reused a password anywhere, fix it now.

3. Work with platforms and authorities.

Send PayPal the invoice IDs and screenshots. File an official cybercrime report if local guidance recommends it. Add your case to BBB Scam Tracker to warn others.

4. Monitor your business identity and assets

Use a digital identity and brand-monitoring tool to watch for trouble before customers do. Track your company name(s), domain(s), executive names, official support emails, and payment handles (for example, PayPal or Stripe). Turn on alerts for leaked credentials tied to your domains or staff emails, look-alike domains and fake profiles, and new mentions of your brand in shady marketplaces or forums.

If you’re using Bitdefender Ultimate Small Business Security, enable Digital Identity Protection to surface exposures and impersonations and get guided fixes.

Related: Is PayPal Good for Small Businesses? Pros and Cons to Know

Everyday prevention for busy teams

Keep it simple and consistent:

• Treat “call now to avoid charges” as a red flag. Real billing issues don’t hide behind phone numbers in the notes.
• Train whoever checks finance@ or info@ to run the 60-second check above.
• Separate duties: the person who receives invoices isn’t the one who approves payments.
• Use security that catches bad links and shady sites before anyone clicks. Bitdefender Ultimate Small Business Security does this  with Phishing & Email Protection, and its Scam Copilot helps you sanity-check “almost real” messages in seconds.

You can start with the 30-day free trial now, roll it out to your team, see it at work and keep it if you like it.