> The trick is in the subject line, not the email
>
> When most people think "phishing email," they picture sketchy senders, broken English, and links to weird domains. This scam is the opposite. The email passes every authenticity check — SPF, DKIM, DMARC, all green. It comes from PayPal's actual mail servers. The fonts are right. The footer is right. The unsubscribe link works. If you forwarded it to a security expert and asked "is this really from PayPal?" they'd have to say yes.
>
> So how is it a scam?
>
> Scammers have figured out that PayPal lets anyone send small amounts of money to anyone else, and that PayPal will dutifully email the recipient a notification. The scammer sends you a payout of, say, one Hungarian forint — about a quarter of a cent. PayPal's system then automatically generates and sends you a real, legitimate, fully-authenticated email confirming the transaction.
>
> Here's the catch: the email's subject line is whatever the scammer typed when they set up the payout. PayPal doesn't sanitize it. So they write something terrifying like "Pending charge of USD 987.90 — call this number with questions" and PayPal's servers cheerfully deliver that subject line straight to your inbox, wrapped in a perfectly legitimate-looking notification.
>
> The actual transaction in the email body is for 1 forint. There is no $987.90 charge. There never was. But by the time most people read carefully enough to notice that, they've already dialed the number.

https://www.tedcromwell.com/blog/that-pending-paypal-charge-email-is-a-scam-even-though-it-really-came-from-paypa