Fake PayPal password-reset notification sent from a non-PayPal domain — credential-harvest cross-domain phish; the reset link points off-brand to a lookalike portal, never to paypal.com. Real PayPal security emails originate from paypal.com / e.paypal.com only.

Fake PayPal password-reset, security-alert, or "we noticed unusual activity" notice sent from a non-PayPal sending domain (i.e. From / Reply-To / link domains do not align with paypal.com / e.paypal.com / paypalcorp.com) demanding the recipient click an embedded link to reset credentials or verify identity — high-volume credential-harvest cross-domain phish. Real PayPal security email originates exclusively from paypal.com or e.paypal.com with DMARC-aligned signing; password-reset links must terminate at paypal.com itself, never at lookalike portals. The cross-domain mismatch (off-brand From + off-brand link) is the defining signal: PayPal does not delegate password resets to third-party domains. Distinct from generic urgent-action-phish — this targets the PayPal-password-reset / verify-account / cross-domain From-link mismatch pretext. Detection: PayPal brand vocabulary (password reset, account locked, unusual activity) + sender or link domain ≠ paypal.com / e.paypal.com + no DMARC alignment with PayPal infrastructure. Trash score: +5. Source: GC1-R31; APWG PayPal phishing tracker 2025; PayPal anti-phishing guidance; FTC payment platform impostor advisory.