Paypal has long been synonymous with the word “online payments,” and for good reason. It offers a secure and easy way to make payments and conduct online transactions. Unfortunately, the ease and convenience that PayPal offers also make it a prime target for cybercriminals who want to abuse this platform for their own malicious purposes. In this article, we go over some of the most common scams on PayPal and the steps you can take to protect your account.
Common PayPal scams
- Phishing Emails: The oldest and most common type of attack on the Internet remains phishing, and the same technique applies to PayPal as well. Cybercriminals can trick users into handing over their credentials or compromising their machines by posing as a legitimate email from PayPal. These messages may inform users that their account has been locked out or ask them for an urgent password reset to excite them enough to act quickly. They are accompanied by fake links to websites that look precisely like PayPal but are used to harvest credentials.
- Paypal “smishing” attacks: In this type of phishing, attackers send fraudulent text messages instead of emails containing malicious links or fake fraud alerts. The limited number of words in the message means that users cannot see the same telltale signs in traditional phishing messages.
- Overpayment messages: In this scam, the cybercriminal will act as a legitimate buyer but will send over an invoice with a higher amount than agreed. The scam is that the cybercriminal typically uses a stolen account and hopes the user will send over the payment before the fraudulent account is discovered and blocked. The sale is also canceled once the victim sends over the refund. A variation of this fraud is with the attacker pretending to send you funds accidentally, i.e., “wrong person fraud,” and then asking you to refund the amount with the same results!
- Fake Invoice scam: This scam is more advanced than the others in which the criminal uses a legitimate PayPal email address to send you fake invoices. The invoices contain messages about why you own money and a contact phone number for more details. The cybercriminal attempts to trick you into downloading malicious software to hack your computer. This attack is more difficult to detect as it originates within PayPal and from a legitimate account.
- Bitcoin scam: Similar to a fake invoice scam but with the added twist that the attackers pretend to be a Bitcoin exchange. Victims will receive a fake invoice with a seller’s note about a Bitcoin purchase. Once the user calls the stated number, they will be socially engineered into paying a small amount to get the funds back or have their information stolen.
- Shipping Address Scams: In this scam, cybercriminals abuse the PayPal process that happens after a legitimate purchase. After buying an item, they change the shipping address and complain to PayPal that it was never received, enabling them to get a refund. Again, since this scam originates from Paypal, the success rate is much higher.
- Charity scams: In this scam, cybercriminals exploit the kind nature of people by pretending to be fake charities and asking for donations. By creating fake profiles on social media, they can add legitimacy to their requests and get users to transfer funds to what they think is a charitable cause.
- “Upfront fees” scams: You will get a message telling you that a huge amount has been deposited in your account, but you need to pay a small “upfront” fee to access it. Once the payment is made, the person disappears or keeps asking for more money.
- “Technical support” scams: Cybercriminals impersonate PayPal technical support and inform victims that their account is either blocked or compromised. This is designed to create urgency and for stealing their credentials, two-factor authentication codes, or getting them to install malicious software.
How to avoid becoming a victim of PayPal scams
As should be obvious now, the number of scams targeting the PayPal platform are many and diverse. Technical controls are not enough, and awareness of these scams is key to avoiding becoming a victim. The first step for every user should be to educate themselves on these scams and the common social engineering tactics that trick them into handing over sensitive information, such as checking the source of emails, verifying the legitimacy of messages, not carrying out any urgent actions, etc. Following the guidelines which PayPal provides for reporting such emails.
Apart from awareness, other vital controls are:
- Implementing Multi-Factor Authentication (MFA) on your account. This is not a foolproof method, as cybercriminals have adapted to this method and will try other methods like social engineering to gain access to your two-factor codes. Still, there is no denying the extra layer of security that MFA provides.
- Staying within the PayPal platform only for transactions. Ensure you do not leave the platform to carry out any transactions, and beware of any URLs or messages that require you to click on them to go to PayPal. Always type the address yourself on the browser.
- Make sure you monitor your account for any suspicious activity or transactions that seem out of the ordinary. Immediately inform PayPal support of anything that seems like a scam, as it is better to be proactive!
- Always be suspicious of offers: Make sure to verify the authenticity of sellers on the platform via reviews and testimonials. Investigate if the seller has an online presence and what other users have said about their business before moving ahead.
- Be wary of invoices that you receive that you are not aware of. Refrain from getting alarmed if a person claims that you have made a payment and verify the authenticity of the purchase first.
Scams targeting PayPal and other popular platforms are not going away anytime soon and will only become more sophisticated. Users must educate themselves on these scams and the best practices to reduce the risks of falling victim to them and enjoy the benefits of online transactions.
FREQUENTLY ASKED QUESTIONS
What are some common PayPal scams?
Common PayPal scams include phishing emails, overpayment scams, shipping address scams, and fake charity scams. Scammers often use deceptive tactics to access your account or trick you into sending them money.
How can I verify if an email is genuinely from PayPal?
Always check the sender’s email address to ensure it comes from an official PayPal domain (e.g., @paypal.com). Be cautious of any emails that demand immediate action or request sensitive information. If you need clarification on the legitimacy of an email, contact PayPal directly through their official channels to verify its authenticity.
What steps can I take to protect myself from PayPal scams?
To protect yourself from PayPal scams, verify email communications, use PayPal’s official platform, monitor your account regularly, enable two-step verification, and be wary of unsolicited offers. Conduct thorough research and maintain a proactive approach to online security.
What is two-step verification (2SV), and why is it important?
Two-step verification (2SV) is an additional layer of security that requires you to enter a unique code, usually sent to your mobile device, along with your password during the login process. Implementing 2SV makes it more difficult for scammers to access your account, even if they have your login credentials.