Experts at Sophos said the scam email claims the recipient's account has been tampered with, but does not use a link or response address to bait PayPal users.
When a duped user calls the phone number, he or she hears the following message: "Welcome to account verification. Please type your 16-digit card number."
If incorrect information is entered, users hear a request for reentry, according to Sophos.
The new technique is an indication of malicious users' growing sophistication, said Ron O'Brien, senior security analyst at Sophos.
"This new technique is further evidence that spammers are getting smarter about the way they prey on innocent users," he said. "While many users have become too keen to click on links in unsolicited emails, it's more difficult for users to know the validity of a phone number."
PayPal is no stranger to phishing schemes, which have used a number of tactics to lure users to fraudulent websites. To this point, practically all such scams have used links to other sites or malicious email addresses.