paypal fraud - matching user's email with paypal email

[fireboat786]

Hello
I have VM 1.0.5 and am using Paypal. This is a shop only selling downloadable goods.
My shop automatically sets order status to confirmed after a successful paypal payment.
I have had some fraudulent transactions where a user uses an un-authorized paypal email address and makes a payment.

I noticed that generally this is happening if the user's email address (where the download link gets sent) is different than the paypal address.

My idea is to either

- only send the downloadable link to the paypal email address
- set the order status to pending if the paypal and user's email address don't match
- make all paypal payments pending (I suspect some will prefer this due to other security problems)

Has anyone done either of these before or have other ideas?
I am not familiar with the VM code.

thanks