[toast0]

From my experience, until recently, all a SSL certificate meant is you're competent enough to receive mail for postmaster@, and you have a working credit card. With LetsEncrypt, the bar is even lower.

Given the push for 100% HTTPS, of course scammers are going to get certificates for their sites if the cost is low enough (still higher cost than using a lock favicon, but hey). While a traditional CA might require human review to issue a cert for paypalscam.example.org, they would probably issue *.example.org, so a scammer would just have to pay a little more for the wildcard.

Since LetsEncrypt participates in certificate transparency, a benefit is that paypal can watch for all certificates issued with their name in the hostname, and check if they need to start a takedown sooner than if they wait for reports of phishing.