eBay’s mission is to be the world’s favourite destination for discovering great value and unique selection
Daily Mail This is Money investigate £54,000 eBay fraud
The Daily Mail’s This is Money have investigated the £54,000 eBay fraud which Richard Crisp of Home Care Essentials became victim of and they too have hit an impenetrable brick wall with both eBay and PayPal passing the buck to each other when asked who is to blame.
You can read the original story here, but put simply scammers somehow accessed his account, bought new domains very similar to his and changed his email address with just one letter different to divert funds over a prolonged period of time. On day 1 of the scam just £11.30 was diverted, but add relatively small sums up over a long time frame and tens of thousands of pounds are syphoned off by the criminals.
Richard’s £54,000 eBay fraud is not a one off, another recent case we heard of saw a seller lose £15,000 before catching the fraud. Other cases vary from a few hundred to thousands and the most worrying aspect is we have no idea how widespread the fraud is and how many other sellers are still losing small amounts of money on a daily basis. The daily sums are small but the losses run into tens of thousands.
What are eBay saying about the £54,000 eBay fraud?
eBay haven’t been able to tell Richard how (or even if) his account was compromised. If we knew this we could give some advice on how to protect your account. Obviously if a different IP address accesses your account then this should be caught by eBay but what if the hack is being perpetrated via a third party tool? If the eBay account itself was hacked then surely eBay should be held responsible for the critical settings that have been changed? But eBay say that as they never received the funds they aren’t liable and recovery rests with PayPal.
What are PayPal saying about the £54,000 eBay fraud?
PayPal continue to say that Richard’s own PayPal account was never compromised and how were they to know that the fraudulent accounts receiving the funds weren’t legitimate? PayPal too have questions to answer such as how these fake accounts were set up in the first place and how they passed anti-money laundering checks. It shouldn’t be easy to set up PayPal accounts with fake details and use them to skim money from legitimate sellers.
PayPal however are saying that as the changes were made on eBay it’s down to eBay to put things right.
What are the Police saying about the £54,000 eBay fraud?
The local Police are unsurprisingly unable to assist and sent Richard off to report the crime to Action Fraud. It’s hard not to have sympathy with the local bobby as this is a sophisticated crime, almost certainly with fraudsters not in the UK. Action Fraud is a report, get a crime number and cross your fingers and forget type of service however.
What’s most galling is that this is treated as a victimless crime. It’s not. Richard has personally lost tens of thousands and is most certainly worthy of the Police doing their best to chase the scammers down.
What will stop this happening to you?
This is a scam that we have traced back at least as far as 2017. eBay and PayPal should both be aware of a case that came to light in early 2018. Both companies have had over a year to warn their users of the scam and to put steps in place to prevent it ever happening again.
It’s pretty clear that if someone is skimming funds from your eBay sales that there are unlikely to be any warnings forthcoming. You are also unlikely to be easily able to spot a different email address as it could be masked – the favourite is to swap an “l” for an “I” – that is a lower case L and and upper case i.
Bulk changing your payments email address on eBay is a solution that can help keep you safe…. although we have no solution on how to stop the hackers coming back in and changing the address again if they’ve access to your eBay account or a third party tool that can change the email addresses back again.
Action fraud is a placebo , that does little if anything, it just deludes folk into thinking there is help available
Nick 54 grand from the government and its lots of porridge
If its an Ebay seller and its almost their own fault for selling online
Surely Paypal would require Identity Documents for an account receiving £54K, or would those be Faked as well.
The only way to stop this is via eBay 2-Step Security, for which the scammers would not have access to the mobile to approve the login.
Check out this QA test engineer with Slack (the collaboration/ communication software company) alerting eBay that it’s sending out identical static 2FA codes…🤦♂️
Would 2 factor authentication assist on ebay account so a scammer could not log in?
This would not stop if they hacked your 3rd party listing tool though as that is the API connection I assume.
I do hope that justice is served and Mr Crisp gets reimbursed. Would the server logs show IP addresses from when the PP email address was revised?
If I have read and understood correctly I think it is ebay responsibility and as a matter of urgency they should be implementing new security measures so that at the very least when a payment email is changed or an account email is changed then the account holder is notified.
Good luck getting it sorted.
It would stop them via eBay, not on a 3rd Party Tool.
You can you IP address set anywhere in the world via VPN.
eBay need to remove the Revision of Payment email from the API & only allow it on the site & as you reightly mentioned to email the account holder that this change has been made.
“Would the server logs show IP addresses from when the PP email address was revised?”
The server logs would either show an IP address, or at least eBay should know if the changes were via a web connection or a third party tool. They won’t tell Richard though, the Police have to ask that type of question and the Police (Action Fraud) aren’t likely to do much without the criminal’s name and address handed to them on a silver platter!
If your account has been altered there is a good chance that it was down to your own security failings and may be down to your own system being hacked and passwords retrieved.
If it is due to that, whilst in the main it is your responsibility, eBay should have notifications to let you know of changes.
We should all set up 2 step verification using either the eBay app or text message
If it was a third party tool that has been used then that needs access to the account to grant the 3rd party tool access.
To check 3rd party authorisations:
Home > My eBay > My Account > Site preferences > Third-party authorisations
You should check and revoke any that you are unsure of.
Depending on how long eBay keep server logs will depend on if they have data for the day that it happened, if longer than 12 months.
Both PayPal & eBay will not give out information due to the data protection regulations. Only the police or a court can grant access, if the police do not do anything then a private court may, seek legal advice.
It is common for fraudsters to enlist gullible / greedy people to open accounts legitimately and take a commission for the money that goes through their account. In which case PayPal would not be held responsible.
If your using eBay business policies surely a new payment policy would be created when a different payment address is used. You should be able to spot the effected listings.
Unless any warning emails are sent with flashing lights and sirens
We would probably not notice them among
The trillions of regular emails
And your suggestion is…?
freeze accounts until any change that diverts or changes payment bank accounts
are confirmed and acknowledged by the account holder
eBay need to set up staff accounts where access to settings is disallowed.
eBay is not suitable for business for this reason and eBay are to blame.
@Jane, eBay is suitable for business it depends on how the business use it. If people do not need to adjust the settings why do they need to log into eBay at all?
Using either a 3rd party tool or your own custom software using the eBya api would enable your employees to do nearly everything they need to process orders and respond to messages.
“eBay need to remove the Revision of Payment email from the API & only allow it on the site & as you reightly mentioned to email the account holder that this change has been made.”
Sounds like a very good idea!
@Jim Freezing the account could work but it would be by an email notification, which could be missed as per your previous comment.
How would it be confirmed? By email that you may miss? If the scammers have had access to your account it is possible for them to read the email messages, be it by logging in or a third party api.
@ crackerjackcommerce Why do they need to remove it, surely the question should be why is it there at all? Why do you need to have money sent to different accounts?
eBay should not allow it, but it dates back to a time when they were strictly an auction site, another thing they need to move forward with.
What some people seem to be forgetting is that to access anything on your account they need to be able to log in. Even a third party api can only be set up with login credentials..
eBay remind us to set up extra security every time we log in, we are the ones that are ultimately responsible for our accounts.
Couldn’t they just set up something like the banks have? You get sent a personal pin via the post. then you need that to authorise any change of payment details. Add to that, when they are changed you should be sent a text message etc that you have to confirm within a set period of time.
Nothing is perfect, but in ebay it is all just too easy.
@ Toby .L A pin via the post? Let me get my abacus to count the days.
It is not easy with eBay at all, before the scammer can do anything they have to have access to your account using your login details and password.
The question is how did they get those details? My Paypal email is different to my eBay login password, so not sure anybody would get to see that.
If you have set up 2-step verification using the eBay app or via text message, how did they manage to pass that?
If you do not add sufficient security to your account you make it easy, not eBay.
I suppose we could blame eBay for not making it compulsory for you to secure your account to protect yourself!
It is also possible that a trusted person was able to alter the account, not the first time a company has had employees skim money from accounts.
My business was also hit by this scam in October 17 and we lost over 11k. We traced it back to a message sent though our ebay account with a link to one of our products asking for bulk pricing. The link took us to the login page on ebay (so we thought) which was actually a page set up to gain our password. After a long and frustrating time being bounced from ebay to Paypal and back again we finally managed to get the ebay Final value fees returned to us which was small consolation. If ebay had ‘two-factor’ authentication available which we use on our Amazon account then this simply would not have happened.
@Andrew They do:
Home > My eBay > My Account > Personal information > 2-step verification
@Tyler – thanks for that! Just tried the 2-step, but you can’t set a trusted device as you can with Amazon, PayPal and most other 2-step verification processes.
So if I’m out of the office and someone needs to log in (eBay seems to randomly asks all the time), they’d need to call me and ask for the text verification code. You can’t have more than one mobile number either….
Why oh why can’t eBay do anything properly, so frustrating…!!!!
Thanks Tyler. They did not have this available back in 2017 though.
we have had similar emails via ebay messages though we never ever personally click on links in messages
staff members might
surely ebay should block these links
@Jim Are you sure you had them through eBay? Could you read them in your eBay messaging centre?
If so they should be reported.
I have had the same emails, but they have never come through the eBay system, they are just made to look like they do, much the same as I get emails from banks that I have never held an account at.
Servers can be set up to block emails that are not listed as being a verified sender for that domain, unfortunately most are not (including my own).
I once had an employee download a virus onto my network, very annoying, took me a weekend to clean it out. That was 15 years ago when security was not as tight or important.
Nowadays it can have serious financial consequences and they are getting far more clever, I have seen emails that looked really genuine and even though I knew it was fake it took me a while to spot how they did it.
yep were certain
ebay were onto it in a flash
My name is Mica, I’m one of the specialists of eBay Trust & Safety department. We have received an email from you with the subject line ‘Report a message’ and you’re concerned with this member ======
Here in eBay, our aim is to make sure you get the help when you need it and as we would like to address every concern right away. I took the initiative to review the email this member has sent you and he said, he likes you store and he’ll be promoting your products. Also, this person has provided you with a link (http://=====) where you can see the photos.
I have tried to visit the mentioned link and it will ask your accounts’ credential in order for you to sign in on the page or link. In this case, please do not attempt to log on into that link. Also, I recommend that you treat the email with caution. Don’t respond or click on any links, buttons or pictures in the email.
To give you an overview, spoof emails claim to be from a trustworthy source like eBay and ask you to provide personal account information such as passwords and payment details. They often ask you to click on a link in the email and sign in to a fake website. Never sign into eBay via a link in an email. The safest way to access your eBay account is to type “www.ebay.co.uk” into the address bar of your internet browser and then click “Sign in” or “My eBay”.
Always check My eBay. You can check all buying and selling activity, view your seller account balance, and update your contact details from here. In addition, most emails sent from eBay, on behalf of eBay, or via the eBay system will be available in My Messages.
For more tips on spoof emails, identifying an eBay email, account security and safe trading on eBay, you may visit the Safety Center link at the bottom of the eBay homepage and the link I’ve provided below:
On the other hand, you have nothing to worry because I have already taken action against this account and this will have an impact against their account. As you know, eBay doesn’t allow the misuse of our messaging system. I want you to know that we don’t take situations like these lightly.
@jim unfortunately no system is 100% safe and the harder a company like eBay detect and remove spam emails from their system the scammers will try to get round them.
If they used the eBay system then the link in the email would have shown up as part of the senders message rather than from eBay itself. Which is why most scammers prefer sending the message direct with disguised eBay links.
@ DaveP Even trusted devices will kick you out randomly, this can happen depending on how long cookie settings are valid etc.
Unfortunately no systems work for everybody, for most situations involving staff a third party / custom application using the api will give them as much access they need or you nominate a trusted employee to handles such matter via an office smartphone registered with eBay.
@ Andrew I am sure you are right, these things are often introduced after a problem has come to light.
I was incorrect earlier regarding my login email address not being known, it is shown in the business details of all listings, so the whole world can see it.
We now check every transaction to verify the payment. Linnworks also filter orders that have not been paid for. Although we bear some responsibility for sharing our password (be it unwittingly) it is easily done when there are multiple users in the office and 50-100 message to respond to each day. A team member had an off day and we paid a high price for it.
The two-step verification that ebay have introduced is not user friendly. In an office full of people that require access we need a mobile phone that we all have access to. What happens when the person with the phone is out of the office? Barmy!
@Andrew How does Linnworks verify if an order has been paid for? It does not look as though it integrates with PayPal. and surely all orders have been paid for on the eBay system, just to the wrong account.
If you use an accounts package like quickbooks, you can integrate eBay and Paypal which would then match the orders to the payments (both at an extra cost).
Using a 3rd party, or your own custom software messaging can be handled via the api, so no real need for employees to be logging in.
I thought Linnworks had a xSellco Reply Manager integration?
A mobile phone can be left in the office for the office manager / trusted user to operate.
eBay only provide a platform, we all have different uses and integrations that we use, it would be great if eBay could build a one-stop system that would work for all of us but we could never trust it to work / function correctly.
@Tyler Linnworks can check an ebay order to ensure that the payment has been sent to the correct Paypal account. If this account email has been changed then Linnworks highlight this as an unpaid order.
@Andrew, it is good that they do, they charge enough for their service.
Not sure how that would work as the payment email on the order would be the correct one according to the eBay system and the listing settings.
My system does not pull in my Paypal email address for orders only the buyers but the ebay api has lots of fields like:
Which can be used for verification against your allowed email address list on Linnworks, this should work independent of eBay or it risks being compromised by somebody updating your eBay Business Payment Policies and the system importing that as an allowed email.
Nothing is 100% foolproof and if a system is compromised by a trusted employee it gets even harder to detect.
Hi Andrew, if you are using Linnworks have a look at: https://help.linnworks.com/support/solutions/articles/7000016844
You need to enable this feature by providing the valid Paypal address for your account, otherwise there’s nothing to check against. We have set this feature up and we have tested it and it has worked for us (although in a previous thread on the earlier article Victoria had said that it did not protect them). The order with the changed PayPal address comes into Linnworks as locked with the message that the PayPal address did not match.
Obviously we knew nothing about this feature whose launch pre-dated our fraud by 8 months. I have actually spoken to Linnworks about this feature today and they confirmed that it was developed to stop eBay sellers being hit by a fraud where the sellers PayPal has been ‘tampered with’. So how come if Linnworks knew about this exact type of fraud in August 2017 and had developed something to try and stop it why was eBay sat on its hands doing absolutely nothing about it?
It would be easy to say that Linnworks should have been more pro-active at alerting sellers to this feature but at least they were doing something and surely it should have been up to eBay to bring this type of fraud to the attention of sellers as soon as they were aware of it.
@Richard Really sorry to hear you got scammed, that is a lot of money to lose, and a shame that once the scam was discovered neither eBay or Linnworks made it public.
eBay should have done something, even if it was enforcing everybody to use 2-step verification. Unfortunately that can be a pain and eBay want the site to be as user friendly as possible.
Linnworks should really have forced all sellers to update their email addresses as soon as they had implemented the security feature, it would not have been hard to do and would only have taken users a minute to safeguard themselves.
From the article it looks like Linnworks have got it right and the system is not relying on data from eBay business policies that could have been compromised.
Did you ever get to the bottom of how it came about?
Thanks for the info, we do use this function on Linnworks. It would have been nice to have been told when it was launched as it would have prevented the fraud on our account. ebay have been aware of this problem for at least two years and have done little to protect their customers. I hope your predicament helps open other sellers eyes to the risks involved. We were surprised that this type of fraud was even possible but received little sympathy from eBay when it was pointed out to us.
Thank you Tyler
At the moment we don’t know how it happened. In my initial conversation with eBay they told me categorically that my account had NOT been compromised and it was probably just a typo in the PayPal address. (obviously it wasn’t)
About a week later I was on the phone to eBay Trust and Safety in the US who told me that they did not class my fraud as an ATO (Account Take Over) which struck me as very odd. They refused to give any information about how the account was hacked ie. whether it was through the front end (password) or the back end. They told me that they would only give that information to ‘law enforcement’.
These 2 things make me suspicious that it was not someone gaining access to our password.
I have asked eBay to provide me with my account logs going back to Feb 2018 to see when my account was logged into and from what IP address. I have had to provide a couple of proof of ID’s but it looks like they are going to provide the information. This should show if the password was compromised or not.
Today, to demonstrate the fraud to a good friend I put his PayPal address in one of our listings. 15 minutes later we had a sale and Bingo he got the money and I got the paid order ready to dispatch in my eBay order screen.
Now bear in mind I had over 11,000 transations stolen and it has been written about by a National News Organisation do you think that the eBay Seller Protection who are ‘working around the clock to protect sellers’ might have alerted me to a PayPal address change to a listing of ours?
Nah of course they didn’t.
@Richard. It is ridiculous that they will not assist you with your account, as well as being suspicious.
Unfortunately eBay Seller Protection team would not be able to let you know the email address had changed, it would need to be a script written into the platform, a 10 year old could write it for them in ten minutes. And it should have been done as soon as they became aware of the first scam.
I just logged into my eBay account, created a new payment policy and changed a listing to that. No questions, no notifications, unbelievable that you can still do it.
I am not sure I can think of any other website that I can do that and not at least have an email notification with a confirmation link. Even on this site I think I would get a notification, let alone one that deals with financial transaction. In fact I would be surprised if there is a not a law regarding the protection of such accounts or in the least they should be negligent as they already knew about the scam and did nothing to protect their customers.
Good luck and hope you get something sorted.
“[eBay] refused to give any information about how the account was hacked…They told me that they would only give that information to ‘law enforcement’.”
It is unconscionable eBay is refusing to provide any helpful information to you (I can almost envision the flurry of emails between Trust & Safety and corporate counsel).
When you next engage eBay, suggest you press them to provide (in their words) their specific rationale for refusing to provide you with info pertaining to how your account was hacked (do they stand on information privacy laws, if so which one/s, or is it ‘company policy”).
Is it possible for you to perhaps pursue having ‘just’ local police to submit an inquiry to eBay in order to satisfy this demand?
Also, have you gone through your email records in the months preceding the incident in attempt to locate any phishing emails that may have resulted in your credentials being compromised?
I agree with Chris’ surmise that these incidents are ‘the tip of the iceberg’.
Given the sophisticated nature of this attack it’s likely the bad guys went as far and wide as they could and many of the successful attacks may never have been noticed.
I use staff accounts on Shopify which works well and have to trust staff on ebay.
I don’t agree that I should have to use a third party system because eBay should be adequate for purpose.
Why go around the houses worrying about 2 step verification when it could be solved with limited staff access.
@Jane eBay is adequate for purpose, just different people use it in different ways.
I use quickbooks for accounting, I can connect to my bank account for free but have to pay for 3rd party software to connect to eBay, Amazon, PayPal etc..
Like you say, why should I? Why can I not have it all for free?
The whole point of 2 step verification is that you do not have to worry, it protects your account. Do you not have it on your online banking?
Every time I do anything on my online bankiong I have to verify it is me making changes or setting up a payment.