eBay’s mission is to be the world’s favourite destination for discovering great value and unique selection
Hacked eBay account changed PayPal address £25k stolen
What happens to a hacked eBay account? Sometimes hackers will simply list a ton of high value goods in the hope a few will sell and they’ll get the cash into a PayPal account and run off with it before they are caught, but there’s a more sophisticated scam which a Tamebay reader has just discovered has been running on his account – a changed PayPal address for payments.
The reason this one is so hard to catch is that hackers who gain access to your eBay account may only change the PayPal address on a couple of listings. In this instance they cleverly chose listings of low value but with high sell through rates and created a new email address just one character different to the legitimate PayPal address that the seller used – hard to spot.
Having been perpetrated in January 2019, the fraud wasn’t discovered until July 2019 by pure fluke when a customer asked for a refund, by which time well over £25k had been diverted from the edited PayPal address on a handful of listings. It’s not just the income that’s lost. There’s also the thousands of pounds paid on eBay Final Value Fees, the cost of goods, the cost of packaging, the cost of shipping, the cost of staff to pick and pack and warehousing costs not to mention the VAT that’s been paid by the seller on these items whilst making a total loss on each sale.
PayPal have washed their hands of such a fraud. Once, when they were a part of eBay, it was the same customer service team that looked after both eBay and PayPal and the two were inextricably interlinked. Now they take one look at the PayPal account and naturally say “Well your PayPal account wasn’t hacked so it’s not our problem”. They won’t even confirm the amount processed from the eBay account through the nefarious PayPal account claiming GDPR and privacy won’t let them.
You might wonder why the seller didn’t spot this earlier and it’s a fair question. But when you are a multi-million pound seller getting hundreds of sales a day and using third party software to process orders you probably just ship what is marked as paid. There comes a level when it’s just not possible to reconcile every single sale with PayPal and you trust the software.
The seller had realised that their P&L for the past six months was somewhat disappointing, but had put this down to the ever increasing costs of selling on eBay – postal price rises, supplier price rises, increasing staff wages, increased competition…. with the cost of trading on marketplaces, not to mention new fees such as eBay Promoted Listings, it’s hard to spot a relatively small (percentage wise) but continuous drip of money into a hacker’s account.
This type of hacked eBay account is nothing new – there’s a case on the eBay forums of funds being diverted from a hacked eBay account from February 2018.
How do you protect yourself?
The first thing to do is keep your eBay account secure. Don’t share your password and and make sure that it’s secure in the first place. Two factor authentication is available for eBay (although it’s a pain in the neck to use, especially if you have multiple staff).
In the two cases cited above, it appears a hacker compromised the eBay listings. However we’ve heard of cases where sellers simply mis-typed their PayPal payment address and funds went to a non-existence PayPal email address.
Bear in mind that you need to trust your staff – an inside job would be the easiest of all scams to pull off although we’ve never heard of this happening they have access and the ability to change your payment email address.
This is a clear case where multi-layered eBay account access is called for. Whilst your staff are, one would hope, totally trustworthy it may have been one of them that clicked on a dodgy link in an email or visited a dodgy website inadvertently giving the hacker access to your eBay account.
Finally if your sales seem healthy but profits are down, instantly question why and start checking to see if the PayPal email address has been changed on any of your listings through a hacked eBay account.
Years back a friend of mine was running a small ebay business selling camera and phone parts and trusted an employee to do the listing. Ultimately they did the inside scam by changing the email address and it was noticed until they had left and they noticed more money coming in for the same amount of sales. As data is not kept for a long time it was hard to get the exact figure but it was somewhere int he region of £3000-£5000. I think they got a little back.
For this reason I will never give employees access to our ebay account. Multi-channel packages are the only way to work without give access to ebay account, although sometimes it woudl be useful for staff to have access to ebay to reduce the work load.
This exact same thing happened to our account last year, they changed a single letter in the paypal address and used it on our number one best selling listing (unit is only 14.99) and they made away with 10k before I noticed a few days later.
Selling over 450k every 2 weeks on eBay it was hard to spot and occasionally will check the payment addresses.
Paypal obviously washed their hands of it and had the police involved.
Very interesting and scary at the same time! Is there a way to check all your listings at once or pull them into a spreadsheet to check the paypal email addresses?
It would be nice if there is such an easy way, but I’m not aware of it. Even if it doesn’t exist, you can just look at paypal payment received total and compare it with your ebay sales total for the same period. If it matches, or is close, no problems. Though if you use the same email address for other incoming paypal payments, it wouldn’t work.
You can also bulk edit your payment details on ebay. Select all and update. If there were any other emails diverting funds away, it’d get rid of them.
I believe you can easily detect when your payment details have been hacked and altered. Firstly, you need to ensure all eBay payments (for your listings) are made via a default “business policy” – In my case I have set up three business policies which cover all my listings:-
1 for payments
1 for returns
1 for postage
The policies can be viewed and altered on the pertaining eBay page entitled “Manage your business policies”
On this page and in regard to payments you can see the PayPal payment address and other important details including the number of listings using the payment policy – A hacker who wants to alter a few of my listings’ payment details will need to set up a new business policy which will be clearly visible on the “manage your business policies” page – If the hacker set up a new policy it would be clearly visible with the hacker’s PayPal payment email address and the number of listings using this policy. Also if the hacker (or the legit user) change the current payment payment policy it will be noted and displayed as “Update status”
I simply log in to my policy page every now and again to check it is still normal
If anybody thinks the above is wrong (and I am being lulled into a false sense of security) please advise as I need to know
it also emphasises that we tend to look at sales ‘revenue’ and assume the cash follows naturally – there are old acountants’ sayings about this.
to the effect:
sales = dreams,
profits = wishes,
cash = sanity.
Using 2 step may be a pain and texts occasionally stop coming through when you have multiple staff members trying to get in at the same time, but it is worth it to keep an account secure.
You are only as secure as your most vulnerable staff member unless you have 2 step installed, and most phishing scams are so good these days that some staff won’t think twice before logging in on what they think is a legitimate page.
eBay needs to give multiple user functionality and fast.
We’re an eBay seller and recently we received an email from someone stating that they would like to buy a large quantity of our product.
We emailed back to ask which products and they sent us back a link which took us to a page which was made to look like an eBay login page.
Luckily we spotted that it wasn’t legit, but it could have been very easy to be scammed by this!
Just been announced at eBay open yesterday, multi user access live in US
Ebay don’t do anything fast that is really any use. But they can add very long order numbers to the sales you make now which nobody wanted and nobody needed justso they look like Amazon.
This is what I do to get early warning of this potential problem.
1. Using the Trading API SetNotificationPreferences call I set the notification ‘ItemRevised’ to send me an email every time any of my listings is revised. This could be sent to any email address. It may be possible to do this by some other method.
2. Using Outlook Express message rules I get OE to delete any of these notifications if they have the correct PayPal email address. Any that don’t will go into my Inbox and are displayed in red.
This has never happened to me but if I ever get a red email I’ll need to take prompt action.
Perhaps something along these lines could be used by big sellers. Their employees don’t need to know anything about it.
We get the i would like to buy your items every day and all lead to a login page thats fake we just reply with contact us in messages as this item number (which is shown in the link) does not exist so are you a scammer. Then get all your spam folder and forward iut to their email. they love that.
When we get junk mail at home i save the prepaid envelopes and put everything in the largest envelope till its bulging then tape it up or just stick the envelope on a big parcel of junk mail and post it back to the freepost address they then have to pay the excess postage. they love it.
This is unfortunately something that has happened for a while. We’ve seen this happen a few times over the years, and I remember one from about five years ago that was pretty substantial for a large seller whose eBay account had been hacked. We’ve added processing that automatically validates the PayPal address of the recipient for a transaction with the PayPal address that was configured for the listing, and when the values are different an alert is raised for each order so it can be identified and resolved quickly. It’s shown up a few times since then, and while it’s more difficult to recognize a mismatch when using business policies (since those are all managed on eBay) we still try to make sure to keep an eye on this and quickly alert a seller when there is something that doesn’t appear to be matching the expected values.
With eBay’s managed payments then there will be less opportunity here, but if a hacker gains access to the eBay account they could change the bank account destination for the payment disbursements. That’s a risk on all marketplaces, but the positive change related to this is that it would become obvious quickly since it’s an all-or-none instead of being able to just adjust a few individual listings to be different from the others and try to get lost in the noise.
I lost £32K over a period of 9 months by a hacker by changing where the payment where sent to on about 10% of of my listings. Only noticed when they they took control of all the payment on my accounts for a few days.
The fact that new payment policies can added or amended and ebay don’t even send you a message or god forbid a text telling you that a payment policy has been either added or amended is a joke.
It is worth noting that ebays business policies no longer work if anew user wants to add them.
We had the exact same problem, we lost £8000 between end of january and end of may. both ebay and paypal want nothing to do with it.
At the end of day ebay have allowed someone to access the accounts from where ever they are in the world and allowed them to make critical changes to the accounts. It is worth noting that on ebay you can have alerts set up for the biggest lot of nonsense that you will never want to know. The one most important thing though, the reason you are selling on ebay. There is no way to be notified that your payment email address has been changed.
There is also no way on ebay to monitor your email addresses on your listings which is an issue if you have hundreds or thousands of them.
instead of stepping up and making changes to protect sellers we found the main objective was to point the finger and try to put the blame firmly on the user.
The only way we can think to protect our self is to regularly change password and to also do regualr bulk edits to ensure the email addresses are all correct.
Since there is no way to monitor addresses a simple password change will not protect you as if an email address or loads of them have been changed since your last password change then they will stay the same no matter how many times you change your password. The hacker may be locked out but they will still be getting funds diverted to them.
It is not an eBay problem or PayPal. You are the problem.