TLDR
A live phantom invoice / refund scam is impersonating PayPal, Amazon, and Geek Squad with fake receipts for charges (e.g. $349, $499, $598) that never happened. The email's only goal is to scare you into calling a bogus "support" number,...
How it works
A live phantom invoice / refund scam is impersonating PayPal, Amazon, and Geek Squad with fake receipts for charges (e.g. $349, $499, $598) that never happened. The email's only goal is to scare you into calling a bogus "support" number,...
Red flags
- An unexpected invoice or renewal notice for a charge you don't recognize, with a callback number to "cancel" it. Urgent, fear based language pushing you to act fast without verifying directly with the vendor. No real attachment or link to analyze, which is exactly why the message often bypasses spam filters
What to do
- 1Do not call the number in the email. Log in directly to the official PayPal/Amazon/etc. site (or open the real app) to check any charge. If you already called and followed instructions: run a full antivirus scan, change critical passwords, enable multi factor authentication (MFA), and contact your bank to monitor or block your card. Report the message as phishing, then delete it
- 2real companies never resolve disputes through unsolicited phone
Source
malwarebytes
Source reviewed by Mythos Forensic Team
https://www.malwarebytes.com/blog/threat-intel/2026/06/we-found-this-fake-invoice-campaign-while-scammers-were-still-building-itFAQ
Is Phantom invoice scam caught mid rollout: PayPal, Amazon and Geek Squad impersonations push victims to call scammer phone numbers a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
An unexpected invoice or renewal notice for a charge you don't recognize, with a callback number to "cancel" it. Urgent, fear based language pushing you to act fast without verifying directly with the vendor. No real attachment or link to analyze, which is exactly why the message often bypasses spam filters
What should I do first?
Do not call the number in the email. Log in directly to the official PayPal/Amazon/etc. site (or open the real app) to check any charge. If you already called and followed instructions: run a full antivirus scan, change critical passwords, enable multi factor authentication (MFA), and contact your bank to monitor or block your card. Report the message as phishing, then delete it; real companies never resolve disputes through unsolicited phone
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.