eBay’s mission is to be the world’s favourite destination for discovering great value and unique selection
Hacked eBay account? Don’t expect eBay or PayPal to put things right
A week ago we published the appalling story of an eBay seller who had his account hacked and the email address changed on his best selling listings. Due to his high turnover and the low value of each individual order, 10s of thousands were syphoned from payments from the hacked eBay account before he noticed.
Today we can reveal that seller is Richard from Home Care Essentials and what was originally thought to be a £20k theft has turned out to be fraud in the region of £54k. eBay have refunded the fees for the fraudulent transactions and supplied a spreadsheet detailing the thousands and thousands of transactions this represents. Richard still however has tens of thousands of pounds missing, not to mention any VAT that’s been paid, the cost of goods, staffing and warehouse, packaging materials and postage costs. This fraud has put his whole business in jeopardy.
If you think it should be easy to spot that your payment email address has been changed, here’s an example – Can you spot the difference between these two email addresses?
If you’ve given up, the answer is at the bottom of this post.
eBay and PayPal say it’s each other’s responsibility
eBay and PayPal are both shrugging responsibility and have left Richard hanging out to dry. PayPal are saying that the PayPal account wasn’t hacked so not their problem and eBay are saying as they never had the funds they can’t attempt to recover them and it’s not their problem either.
“We would need to advise that you would need to deal with PayPal to seek reimbursement for any loss of funds as we would not be in position to do so as eBay at no point have funds from sales.”
– Email to Richard from eBay
“Were you sent notification of the changes to the account? i.e. notifying you of a listing being changed to a different PayPal account? This is an eBay obligation to ensure that notifications and accounts are being monitored for any suspicious behaviour. As potentially in this case this has not happened and I must stress the matter is firmly an eBay issue and responsibility to resolve.”
– Email to Richard from PayPal
So – eBay have refunded fees but don’t want to get involved with the missing £54k and PayPal will only respond to the police but certainly don’t admit any responsibility. If this happens to you don’t expect either eBay or PayPal to put things right.
Thankfully this will be an impossible fraud to perpetrate once eBay Payments takes over from PayPal. With a single sign on and payments integrated into your eBay account, so long as your bank details on eBay aren’t changed it won’t be possible to have multiple payment accounts – one eBay account will have one eBay Payments account.
Changing the PayPal address on eBay is a known fraud
It now appears that this is an issue well known to eBay and PayPal and a fraud that appears to have been carried out many times going back at least 18 months. Previously, a hacked account was used to list a few non-existent high value products and this was easy to spot and for eBay to shut down. Syphoning off a small amount of money on a regular basis for month after month is much harder to spot – Ask yourself honestly, would you notice the money going missing for one out of every 100 orders if you were shipping several hundred a day?
There are too many variables on eBay and PayPal fees with different costs per category for eBay fees and different fees on PayPal depending if a transaction is domestic or cross border to notice a few quid here and there. But we have identified just half a dozen instances of this type of fraud which tot up to well over £100k of missing money.
For fraudsters it’s a complex but lucrative scam – they need to buy a URL, set up an email address, pass PayPal’s initial fraud scans and then provide additional information to pass the money laundering checks. After that they just sit back and watch the money roll in, probably sweeping the PayPal accounts each night into anonymous bank accounts and then transferring it onwards until the funds are untraceable. The rewards of the fraud are immense however, compromising just 10 high turnover eBay accounts could quite conceivably net £1 million per year (based on the cases we’ve seen).
Have you checked your PayPal email address yet?
The stakes are high and the only way to be sure you’re not being scammed is to regularly check the PayPal email address registered on your eBay listings. At least two multichannel management platforms (Linnworks and ChannelAdvisor) do apparently double check PayPal email addresses on your behalf and should alert you to an issue.
There is a question mark as to how secure your account is even if you change your password. It’s worth checking the active permissions on your account as of course if any of your accounts with third party tools are compromised these could be also be used to edit your listings. If a permission is no longer required then remove it. If you do need the permission make sure that access to the tool is limited to the people who absolutely need it.
Run a check on your eBay listings and bear in mind that it could be just a single letter of your legitimate PayPal email address that’s been changed making it very hard to spot. Back to the two email addresses we asked if you could spot the difference between:
Look the same don’t they but they’re not the first has an ‘l’ and the second has an ‘I’. Still can’t spot it? Well it’s a lower case ‘L’ and an upper case ‘i’ so checking visually isn’t going to ensure you catch a fraudulent email address.
kudos to tamebay for exposing this
really really tough on the seller,
where is the big media tv news etc etc
this should be head line news no point in keeping a lid on this
We had the exact same fraud changing the same letter in paypal email, but thankfully using 3rd party software, the orders didn’t show as paid so we didn’t ship anything.
Ebay did help in concierge and the fraud department to make sure our account and IT security was all checked etc. Paypal though didn’t really want to know but as we hadn’t lost it didn’t impact us that way.
If this type of fraud has been going on 18 months, that is way too long.
Ebay has all the data to hand. A simple report, which could be added to the seller hub and be easy to find, would show what percentage of sales were paid by what method and to where.
If everything is fine and you don’t take alternate forms of payment, then you’d expect that to say 100% of sales revenue went to your primary paypal email address. if it says 95% to your primary and 5% to your secondary, but you don’t have a secondary, then you’d know you’ve a problem and could do something about it, rather than have your business slowly bleed out.
Here’s a report of a case from October 2017 discovered in early 2018. This apparently is not a new type of fraud
we wonder how this would be treated by ebay
y if this were a buyer being defrauded
Ebay and paypal are in league with one another.
I recently had 7000 enctar points “stolen” by fraudulent means. Ebay/paypal initially showed interest but then completely forgot about my complain. Two complaints to nectar and they refunded the points. Now my reasoning is very simple – if there wasn’t a problem with other people having these points stolen, then I doubt whether nectar would have refunded. I think it’s a problem that nectar/ebay/paypal just don’t want to own up to.
Fraud on ebay, having been a buyer/seller for 10 years is rampant. They quite simply don’t have the staff to solve the many, many problems they have. Computers run the majority of paypal/ebay becuase of the scale of how these online companies work. Why have staff when computers can do the work. People out there should be concerned – robots are next to take loads and loads of job.
So would the scammers have to get access to your ebay account, login/revise an item to change PP payment email and then just sit back and wait for the sales to keep coming in?
Perhaps ebay should give a daily digest of revision status i.e. today you made 250 revisions for payment email – this would give a warning.
Being vigilant with the ebay account password is key here I think for this case.
Is there a reason why we are able to have different PayPal addresses for each listing?
Good point, perhaps it is an historical setting which has never fully evolved.
Selling an item for a friend/family member and the payment needs to go to their PP account but they don’t have an ebay account?
This happened to us a few months back, luckily it was only a few orders which got through. The only reason we spotted it was we sold a low value item and the customer paid extra for express delivery, we don’t get many express delivery requests so when we spot them and the customer doesn’t have a lot of feedback, we like to check them out.
We use a 3rd party software (Linnworks) and they didn’t flag this up so please don’t rely on them doing this for you.
This happened at a quiet time for us but if this had happened in peak it is quite possible that we wouldn’t have spotted it.
Hi Victoria, bear in mind if you’re using Linnworks you need to enable this feature by providing the valid Paypal address(es) for your account, otherwise there’s nothing to check against.
More information is available here; https://help.linnworks.com/support/solutions/articles/7000016844
Hi Josh Thanks for your reply but we did have this enabled at the time.
So what i am getting from this, and mainly from PPs comments is that ebay should be letting us know when a change is made to our email address, paypal etc etc. However what has become evident is that they aren’t doing so.
So basically ebay are assisting in fraud.
I can’t change anything on my online banking without it sending me a email or text to alert me. Change 1 letter ona payment reference and send money… ping! That will be a text to my phone.
Why isn’t ebay doing this? Oh hang on… ebay pockets the fees regardless… That will be the answer. It is one thing that runs through almost every exmaple of the rampant fraud that is on ebay… Ebay nearly always end up pocketing some cash from it.
re-read the article, because ebay don’t pocket the fees regardless
“eBay have refunded fees but don’t want to get involved with the missing £54k”
As you can see, ebay have lost out too to the fraud in the article. Had they a system in place to alert sellers of such changes, all these frauds could be easily prevented. The sales would still have happened, but without funds being diverted away. The sellers would get their rightful profits. Ebay would gets the fees. The fraudsters get zilch.
Who knows what really prevents ebay taking action, but if all sellers who are a victim are kicking up a fuss and getting fees back, then this inaction is costing them. It would be so easy to fix. So easy, it could be done by the end of the day.
“At least two multichannel management platforms (Linnworks and ChannelAdvisor) do apparently double check PayPal email addresses on your behalf and should alert you to an issue.”
Have not seen this feature on ChannelAdvisor, certainly wasn’t available 15 months ago.
This happened to us and I have been chatting on the phone with Richard. We were fortunate in that we only had £612.73 stolen before one of our eagle-eyed staff spotted an additional business policy had been set up with an almost identical PayPal account.
The domain name was registered via a company who have an “WhoIs” block so that you cannot find the perpetrators. Richard did cleverly suggest we sent the fraudulent PayPal account 1p so that we would get a name back, which we did, and we think we have located them and the police are investigating.
We got the same response from eBay and PayPal initially, both blaming each other. I personally blame eBay for not adding alerts or emails as standard for every time a PayPal address is changed on a listing. As it happens, PayPal have kindly refunded all of our losses. I guess with it being a relatively small amount and us being with them for over 10 years they were able to make this kind gesture.
But eBay – sort your act out! It’s a disgrace to sit back doing nothing for over 18 months. Just get some alerts in place and this scam will be stopped in it’s tracks!
As an aside, it’s interesting that no one has mentioned the weakness exposed in the font used for those email addresses. I (capital i) looking exactly the same as l (lowercase letter L). Lots of fonts actually do this. Yup it’s completely different to a machine but to us mere mortals reading from a screen or hard copy it’s presumably going to lead to further scamming opportunity.
Can we drill into the Paul Donnelly feedback.? Does he take no responsibility for having his account hacked? Was his password too weak? Did his eagle-eyed employee perhaps have knowledge of the password?