Yes — this is a scam. Every phishing email uses the same handful of tricks — a look-alike sender, a scary subject, a deadline, and a link that doesn't go where it claims.
Invoice #INV-4471 — payment of $649.99 confirmed
P
PayPal Service
service@paypa1-billing.com
9:14 AM
We've charged your account $649.99 for a Norton 360 subscription renewal. If you did not authorize this, cancel within 24 hours to avoid the charge: paypa1-secure.com/cancel
Cancel this payment
The Email, as received
Example 2 · Amazon “order confirmation”
Your order of $1,299.00 has been placed
A
Amazon Orders
auto-confirm@amazon-orders.info
8:52 AM
Thank you for your order of an Apple iPhone (1,299.00). If you did not place this order, cancel it within 24 hours here: amazon-orders.info/cancel
Cancel order
Example 3 · Microsoft “password expires today”
Your password expires today — action required
M
Microsoft Account Team
account-security@micros0ft-support.com
7:30 AM
Your Microsoft 365 password expires today. To keep your mailbox active, verify your account now: micros0ft-support.com/verify
Keep my password
Example 4 · Netflix “payment declined”
Your membership is on hold — update payment
N
Netflix
billing@netflix-account.info
6:05 PM
We couldn't process your last payment, so your membership is on hold. Update your billing details to avoid cancellation: netflix-account.info/billing
Update payment
Example 5 · DocuSign “document to sign”
You have a document waiting for signature
D
DocuSign
dse@docusign-secure.net
10:41 AM
A document has been sent to you to review and sign. Please review and act on this document: docusign-secure.net/review
Review Document
Example 6 · IRS “tax refund”
You are eligible for a refund of $978.42
I
IRS Refund Center
refund@irs-gov.online
2:18 PM
After the last calculation of your fiscal activity, you are eligible to receive a tax refund of $978.42. Submit your refund request: irs-gov.online/refund
Claim refund
Example 7 · Geek Squad “auto-renewal receipt”
Your Geek Squad protection has been renewed — $399.99
G
Geek Squad
billing@geeksquad-renewal.com
11:07 AM
Your annual Geek Squad protection plan was auto-renewed for $399.99. If you wish to cancel this charge, call our billing team at +1 (888) 555-0143 within 24 hours.
Other versions you might get: The brands change — your bank, a delivery company, a crypto exchange — but the four moves stay the same: a look-alike sender, an alarming or too-good subject, a deadline, and a link that goes somewhere other than where it claims.
What to do right now
Don't click any link, open attachments, or call a number in the email.
Check your real account by opening the app or typing the company's address yourself. If there were a real problem, it would show there — not only in the email.
If you already clicked and entered a password: change that password, turn on two-factor authentication, and watch that account and any linked card. You are very likely fine if you didn't enter anything.
Report it. Forward the email to the impersonated company's phishing address (e.g. phishing@paypal.com) and to reportphishing@apwg.org, then file at reportfraud.ftc.gov.
Delete it, and mark it as phishing so your inbox filters the next one.
How to make sure it never bites you
If you opened one of these and are worried — take a breath. Opening or reading a phishing email doesn't compromise you; the harm only starts if you enter details or download something. If you didn't, you're fine. If you did, the steps above limit it fast. To reduce how many land at all, see how to lock down your accounts.
Public service
Untrappable · Public service advisory
Stop the next one at the source
You got this because your details are on lists that get bought, sold, and leaked. You can't unspill that, but you can make it useless to a scammer. Start with the free steps — they do most of the work.
If you'd rather have it watched for you, an identity-protection service monitors your accounts, SSN, and the dark web, warns you the moment something new appears, and helps you recover if someone gets through.
Affiliate link — we may earn a commission at no extra cost to you. It never changes our verdicts. Why we can still be trusted.
Keep this · forward it to someone who needs it
Frequently asked
What does a phishing email look like?+
It looks like a normal message from a brand you know, but with tells: the sender's real address is a look-alike (paypa1-billing.com, not paypal.com), the subject alarms or tempts you, there's a deadline or threat, and a link goes somewhere other than the real site. The seven examples on this page show each one marked up. Learn the five shared tells and you can spot a new one whatever brand it copies.
How can I tell a real email from a phishing one?+
Check the full sender address, not the display name — real ones use the exact company domain. Hover or long-press a link to see where it truly goes before you tap. And when in doubt, don't use the email at all: open the company's app or type its address yourself and check there. Real companies don't threaten you with a same-day deadline to keep your account.
What should I do if I clicked a link in a phishing email?+
Don't panic — clicking a link or opening the email alone usually doesn't harm you. The risk is if you entered a password or card number, or downloaded an attachment. If you did, change that password immediately, turn on two-factor authentication, watch the account and any linked card, and run a security scan if you downloaded anything. If you didn't enter anything, you're very likely fine.
How do I report a phishing email?+
Forward it to the impersonated company's phishing address (like phishing@paypal.com or phishing@irs.gov), and to the Anti-Phishing Working Group at reportphishing@apwg.org. Report it to the FTC at reportfraud.ftc.gov, then delete it and mark it as phishing. CISA's Recognize and Report Phishing has more.
Scams spread because people stay quiet about them. If this could have fooled you, it can fool someone you know — a parent, a friend, the family group chat. Passing it on is the easiest good thing you'll do today. It's safe to forward, and stands on its own as a record for a bank or the police.