I operate a small not-for-profit site that has a (very inexpensive) subscription. To avoid this, I do a few things:

- We have a no-questions-asked unlimited refund policy.

- I don't tolerate unverified PayPal buyer purchases. However, if someone tries to buy with one, I activate the subscription, and then contact the buyer via the e-mail/phone number they signed up with, confirm they're a real person, and then send them a PayPal invoice.

- Only subscriptions can be purchased.

- We've configured the flow when using PayPal to not tell the user if a transaction is declined to the maximum extent possible. I.e., the subscription still gets activated and then we call the user to arrange other payment options.