Investigative reporter Deanna Dewberry from WHEC-TV, a Rochester, New York NBC affiliated local television station, reported on a scam last week involving hacked eBay accounts that not only hurt buyers but also could affect sellers.
Our explanation of this scam goes further than her reporting because we believe for this scam to work, the hacker has to have access to a hacked seller account that still accepts payments via PayPal. Here is why.
With PayPal, it is easy to transfer funds quickly between accounts. If the hacked seller account had transitioned to eBay Managed Payments, eBay would know the identity of the hacker(s) as the only method for them to turn the scam into cash would be to transfer the funds to a verified bank account. And that is highly unlikely unless they are really stupid.
In a nutshell, here is how the scam works:
- A hacker uses a hacked eBay seller account that has not migrated to eBay Managed Payments to list items and allows them to use a hacked PayPal account to accept payments.
- Next, the hacker uses a hacked eBay buyer account that still has a connection to an active PayPal account to make purchases from the items listed by the hacked seller account. PayPal pays the hacked buyer from the hacked seller’s PayPal account.
- If the hacked buyer’s PayPal account has a zero balance, PayPal will fund the purchase from the backup payment method many users link to when they originally signed up with PayPal. This is typically either a bank account, debit card, or credit card from the hacked buyer.
How the hacked buyer becomes the victim here is pretty easy to see as the funds come out of their financial accounts still connected to PayPal. Fortunately, most financial institutions will credit the money back once the scammed buyer claims they do not recognize the charges. eBay doesn’t really need to be involved as they do not incur a loss on the buyer’s side but they may still want to report the scam to the eBay Fraud Department so that they can take the appropriate action on the seller’s account.
For sellers that may get caught up in this scam, it’s a bit more complicated. Unless the hackers are nice (doubtful) and pay the Final Value Fees (FVF), eBay will eventually charge the FVF to the seller’s payment method. While sellers may enjoy the same protection from their financial institution for fraudulent charges, just filing a fraud claim with the bank or credit card company without contacting eBay may not make the problem go away. Actually, it could make it worse.
Once the seller files the fraud claim (or chargeback) with their financial institution and eBay is notified of the claim, eBay will probably place a hold on the seller’s account for unpaid fees. If the seller doesn’t pay the unpaid FVF fees, eBay will eventually turn the account over to collection, possibly even impacting their credit report if the seller is a sole proprietorship.
Therefore, it is advisable that affected sellers immediately contact eBay’s Fraud Department before filing a fraud claim with their financial institution. Ideally, this situation should be handled with eBay alone because of the potential that eBay could close the seller’s account and send the unpaid fees out for collection.
In addition, there may be other complexities such as that some fees are valid fees that should be paid if the seller is still active. Trying to solve partial amounts in a fraud claim with a financial institution can become complex and may lead them to deny the chargeback or claim altogether.
eBay and PayPal Are Not Root Cause of Scam – Just The Method
This is an unfortunately another piece of the scam. The most likely way the hackers gained access to the eBay and PayPal accounts was because of poor security practices by users, not because eBay or PayPal were hacked.
Today, many users use the same username/email address and password combination for too many online services and accounts. For example, last month, we reported a hacker sold up to 14 million alleged eBay and Amazon accounts on the ‘darknet’ and that these compromised accounts likely originated from leaks or brute force attacks on other systems or services. There is really nothing eBay and PayPal can do to avoid this kind of problem when people engage in poor account security practices.
The way this exploit works is that once hackers have a username/email address and password combination, they try to use this combo on popular online services to gain access. eBay and PayPal are very popular and so it makes sense hackers would try these services. Sometimes, they may not be able to do much that causes harm when they get in, but other times, having these two pieces of information may be all they need to run a scam that can drain bank accounts or charge credit cards indirectly. Which is how this scam works.
Suggestions for Best Account Security Practices
It cannot be stressed enough that good account security practices for accounts that may have direct or indirect access to bank accounts, credit cards, or debit cards should start by using a unique username/email and password combination that is extremely difficult to guess.
Furthermore, users should always update older accounts to an email address they routinely monitor, another often overlooked weakness many do not think about. Why? Because today many online services sent out notifications to the email on file when the account is accessed from an unknown location or device. This is like having an early warning security alert that something may be wrong before the damage is done.
In addition to these two very basic tips, both eBay and PayPal provide information on best practices to keep all of your account secure and safe.
And finally, if you no longer use a service, just cancel and delete the account as that is the ultimate and most secure way to keep digital thieves from accessing your information.
Connect With Us And Other Small Business Owners
Please head over to our Facebook Group for Small Business Sellers and interact with other small business owners.