eBay’s mission is to be the world’s favourite destination for discovering great value and unique selection
Advice to avoid being scammed on eBay with changed PayPal address
It is becoming clear that eBay are contacting sellers who are victims of the changed PayPal address on their listings resulting in funds being diverted to scammers. We have now identified some three dozen sellers who between them have lost over £600,000. These are really significant sums for the sellers who have been scammed on eBay and we have no idea how many more may have been impacted. Some may not have come forward whilst others may not even have discovered the losses yet.
We believe that eBay could be assisting sellers more, whilst they are contacting sellers they are generally forcing a password change and delinking PayPal accounts. Delinking the genuine PayPal account does nothing other than mean eBay bills can’t be automatically paid until the account is relinked. What eBay haven’t been spelling out in initial contacts is that the problem is with PayPal addresses in individual listings. However they appear to be forcing sellers to telephone after the password reset and in some instances have been trying to reach sellers by telephone. eBay also appear to continue to refund fees for transactions where the funds were stolen.
The good news is that with eBay actively contacting sellers that we should soon stop hearing of new cases and whilst this is a crippling impact for sellers who have been scammed on eBay, when you consider that there are 200,000 businesses trading on eBay the number of sellers impacted is relatively low.
The bad news is that eBay are still telling sellers to contact PayPal to recover funds. PayPal shrug and point out that the fraud took place on eBay. Both suggest contacting the police who direct sellers to Action Fraud who some say is misnamed as they haven’t taken any action whatsover on cases reported to them.
How to protect your account from being scammed on eBay
Today we wanted to share the steps we believe will best protect your eBay account.
eBay 2-Step Verification
eBay have been clear in the short comments they have made that they are recommending the use of 2-step verification. 2-step verification involves sending a one time code to your mobile as a text message or a notification in the eBay app every time you log into eBay.
The issue with 2-step verification is that only the owner of the mobile gets the one time codes and in many businesses multiple people need access to the eBay account. There is a fudge where once the notification has been sent you can ignore it and request a follow up via email which is accessible to anyone with access to the email address registered on the eBay account. If you give employees access to this email address then as many people as you like can access the account through 2-step verification, although that does ask how effective it is in the first place and means you need to ensure your email account is never compromised.
We’ve set out eBay 2-Step Verification set up instructions here.
Advice from eBay customer support to some sellers has been to bulk edit their listings on a daily basis to ensure that the PayPal address is reset to the correct one. Apart from this advice being a bit barmy as you will then never know if a hacker is changing it back five minutes later, if you have thousands of listings it’ll take forever editing just 500 listings at a time.
A better solution is to use eBay Business Policies and check them daily to ensure that the only payment policies are the ones you’ve set. Most sellers will only need a single payment policy as they’ll only ever use one PayPal email payment address. Those who also have a PayPal micro-payments account might need two payment policies, but it will still be easy to see if a third or fourth has been created by a hacker.
If you haven’t opted in to Business Policies previously, when you opt in eBay already create payment, shipping and returns policies in the background each time an item is listed for sale. These remain hidden until you opt in to eBay Business Policies at which point they become available for you to manage. You’ll see a policy for each set of payment, shipping and returns terms that you’ve used recently and the first one to check is how many payment policies appear – if there are more than you are expecting then you’re being scammed on eBay and you’ll want to look more closely. If you see two payment policies that look identical, remember that hackers have been swapping an ‘l’ for an ‘I’ (lower case ‘L’, upper case ‘i’) as they look identical.
You can opt in to use eBay Business Policies here
I have a friend who works for a very large IT company, which provides support for lots of VERY large internet companies, the likes of eBay.
He said that if a scammer worked for an Internet Provider, it is possible for him to gain remote access to a person’s computer directly via their internet connection.
Because of this, it would not matter if the eBay Seller changed their eBay password every day or even every hour. It would not matter if they signed up for 2 step identification.
The fact that £600,000 or more in losses have already occurred suggests that this is not a lone hacker behind the fraud, rather possibly a crime syndicate.
The fact that is it currently APPARENTLY only happening in Britain, could mean that all of the victims are using the same Internet Provider(s).
It is unconscionable there is not someone investigating this line of possibility. If Action Fraud in not the correct agency … does not have the training or authority to investigate this type of crime, then you’d better hope that SOMEONE in a government agency understands how these IT crimes work.
Because the fact that they are getting away with the crime and no one seems to be able to stop it, will only embolden them.
Is that a typical Ebay way of working go to the section above which says,
We’ve set out eBay 2-Step Verification set up instructions here.
and it goes to a 404 page. That is typical of anything ebay, not working.
Oops, my fault, link is now fixed
I don’t think those behind the fraud are interested in all 200,000 ebay sellers though they are only interested in really quite high volume sellers of low value items and seemingly also those who have a paypal email addresses to fraudulent domains like hotmajl instead of hotmail they already have set up.
If you say they are only interested in sellers who aren’t going to readily notice £20k going missing over a 6-12 month period you’re looking pretty much only at sellers doing turnover in the hundreds of thousands of pounds most likely. Then from that you’ve got to cherry pick ones with large volume lower value transactions and also with active listings numbering quite a lot. Then they need a paypal email they can spoof.
If you apply those parameters the total pool of sellers would reduce enormously and be a much, much higher rate of compromised accounts. If, as it looks, it could end up being more than a hundred sellers affected it then seems that if you are a high volume low value seller that fits the profile the fraudsters are targeting you have a very high chance indeed of being affected.
I love ebay BUT this leaves a lot to be desired.
A few weeks ago I tried looking into this business policies thingy and it opted in.
I then kept getting the page that there were issues and to come back in a few days etc.
When I go to the http://www.bizpolicy.ebay.co.uk/businesspolicy/policyoptin page now, it just times out.
I phoned ebay and they were looking into it. No response since and that was a week ago.
At the time I also asked for a report of all my listing’s attached paypal email
addresses. Again that would be looked into but still nothing.
The two factor authentication is good, but last week it took me over an hour to receive a text message to be able to log in. Since then I installed their app and turned off all other notifications, just so I can “securely” log in.
I am no programmer but I know through their API, it MUST be possible to extract the listing ID or title and associated email address, and I wish someone wouldn’t mind creating that one as it would a massive help.
The good thing about the different paypal email addresses, when I had a need, was that I could set the paypal address as I needed. I used to use one account for micropayments and low value and another for higher value, this way I saved on the paypal fees.
I think the key is discovering the specifics of each crime and building a picture that will help identify how they are happening.
If @Chris is able to, and obviously with permission from the affected that he has discovered, the details could be published anonymously and others can have a lookee see.
Ebay are obviously keeping tight lipped but the educated readers of Tamebay may be able to help other avoid this issue.
Wanting to use micropayments is one possible reason why there could be a need to offer the ability to add a different paypal email address to listings but paypal did not officially allow one business to have two paypal accounts if you wanted a micropayments account and a regular paypal business account the official line was you must set up a separate legal entity business.
Yes, it’s easy to do this using the API. The output for one listing looks like this:
Well it would do if all of the tags hadn’t been removed. Here it is again with angle brackets replaced:
I’m a programmer and tend to use eBay Trading API for quite few tools that make my life simply easier.
Nice idea with such tool, however I cannot see it “fly”. Each user would have to create API credentials and give them to my app so therefore my app has access to lots of data. I cannot remember if the API access can be setup in more limited way.
I think it’s eBay’s call to stop the crime happening. And any of their advice along “check your listings manually and update as necessary” is just typical them – don’t care about sellers. RIP EBAY
very much above my head
but I cant help thinking if its a high level access ebay or paypal insider
no amount of password jiggery pokery will help
Surely the easy way for ebay to prevent this, is to not allow the changes to the paypal payment account address for a live listing. If someone had a need to change the paypal address this could be done via a telephone conversation, where further security checks could be carried out.
Ebay should be able to identify any ongoing problem accounts by looking for multiple paypal destinations
This is what I don’t understand.
It’s quite simple for ebay to do.
Make a magic button that exports all your listings as a csv.
Most people can then have a look and easily see with filters if there is anything amiss.
I understand that they don’t want ALL information to come out to make it easy to import into other market places but the basic information required is not going to hurt.
THEY are not going to do anything. Dream on. There are things that YOU can do.
A File Exchange download will get all of your item numbers.
Then make the API call GetItem for each item. This does need some programming and you need to join the developers program (free) to use the API.
You can probably get the details of the entire listings with this.
I previously posted how I check for any unauthorised changes to the PayPal email address. This needs one API call of SetNotificationPreferences which will send you an email every time an item is revised. This is all you need to do if you know your listings are all OK now.
Well, I’ve been ‘done over’ to the tune of £255. Whilst not in the same league as other big losses, for me it is significant. eBay wash their hands which is a big error on their part. Their platform has failed and they have left a security vulnerability running that would be simple to stop – either require additional levels of security to alter a payout address/account or, at the very least, send out an email of a change to such a critical piece of data, as they do when changing the password. eBay are 100% liable. Since I have so little explanation from eBay I have had to guesstimate the methodology of the fraud and will be suggesting to the serious fraud office that it is an inside job and the lack of corporate action to close the security loop-hole may indicate corporate compliance in the fraud. This may be entirely inaccurate and the fraud be an external problem against solid robust eBay security but only a detailed investigation by the serious fraud office will reveal the truth. Meanwhile I am also going to assume that the lower to mid levels of eBay are hiding the issue from the lovely high level eBay executives and, once they are alerted, will fall over themselves to compensate and see any security vulnerability is closed immediately and be proactive with any serious fraud office investigation. My deep searching of all and any senior executives in eBay, irrespective of their title, begins tomorrow following my formal response to my account’s fraud today. These senior executives will be a start, Devin N. Wenig Stephen Fisher Scott F. Schenkel Raymond J. Pittman Jae Hyun Lee and of course Wendy Jones who, “As Senior Vice President, Global Customer Experience & Operations at EBAY INC, Wendy Jones made $11,786,755 in total compensation.” By the end of October, most of the top brass will know my name. It is unfortunate to come to this kind of action. As I told the first contact at the customer services, I don’t care who, how, or why, I just want my £255 back. It should have been a simple compensation matter to cover a systems error and I would never have started digging .
From your list, no longer at eBay: Devin N. Wenig, Stephen Fisher, Raymond J. Pittman. eBay have been busy shuffling the deck with executives, just as they continue to do the same to sellers, buyers, anyone else they can screw over. eBay points the finger at PayPal for the fraud when THE FRAUD IS HAPPENING ON EBAY! They seem to come across as not really caring what’s happening, as long as they get their cut of fees they don’t care who the money is going to. Just goes to show what kind of company this is. They are frauds and criminals themselves. If they’re not forced to do anything, they won’t.
I don’t use business policies but I’ve read that some people have found them difficult to use. If using them you don’t put the PayPal email address on the listing but just have it within the bp. This may or may not prevent this fraud.
The same applies for this two level login.
I feel more secure now that my system is checking for any unauthorised changes.
Sorry that you have become yet another victim. I agree that it would be easy for eBay to do something about this.
I can’t figure out how it’s being done other than by someone on the inside who can bypass any security.
I’d be interested to know whether or not you are using business policies. I think that these email addresses are being changed on individual listings rather than through business policies.
Until yesterday I wasn’t aware of something called a business policy and I am still somewhat in the dark about what it is and where it is. I think I will set up the level 2 login security though, now I know of its existence. Notably, eBay have not informed me of the existence of level 2, I discovered it on this website. That will not encourage a small claims action in eBay’s favour. A clear indication of the lax security and failure to act on eBay’s part.
I have also noticed a substantial drop off in sales for Friday and into today. This is often a peak sales time. There are a couple of other significant dips and each one coincides with my calling and chasing eBay for updates into the prior investigation into missing payments. I think it is quite clear that shops are taken offline whilst they examine any claims and it takes a good 12hrs, possibly 24hrs before the sponsored listing algorithm starts placing my sponsored listings (i.e. all of them) in search results.
” 2-step verification is on
You have successfully set up 2-step verification for your eBay account. You now have an added layer of security when you sign in to your account.
If you didn’t just sign up for 2-step verification, please contact us. ”
They can send me an email to tell me I have made a change to my security details, but not to tell me if the PayPal payment address has changed. I would be interested to know how many hacked accounts had 2 step verification. That would give a strong indication that the fraud is internal to eBay and indeed their denials are classically indicative of a coverup over such a possibility. Another component for the serious fraud office to examine. Note, if YOU do not report the theft and breach in data protection to the police, they will not take action. They must have a complaint to pursue so it is incumbent on every single victim to contact any police contact address and report the crime. You will be directed to the relevant place to lodge the crime formally.
Incidentally, are these the ‘business policies’?
You have authorised the following third-party applications to perform certain actions on eBay on your behalf.
eBay Bulk Listing Management (created 26-Jul-18) Revoke this authorisation
eBay Business Policies Management 2 (created 14-Oct-18) Revoke this authorisation
Parcel2Go (created 15-Mar-19) – Parcel2Go.com Revoke this authorisation
eBay Asynchronous Bulk Relist (created 20-Jul-19) Revoke this authorisation
Developing IT Ltd (created 08-Aug-19) – app.optiseller Revoke this authorisation
eBay Marketplace (created 03-Oct-19) Revoke this authorisation
Lithium Technologies, Inc (created 04-Oct-19) Revoke this authorisation
I have no idea what these do and so reluctant to change anything.
The hack on my PayPal addresses seems to have dated from the 19th July, approximately two weeks after turning off holiday settings and the same day that the ‘eBay Asynchronous Bulk Relist’ appears. What is this bulk re-list? What happens when it is turned off? Is it a coincidence of the dates? Is this a regular updating authorisation? When and how did I authorise these (I only know of the optisource)?
Another recent activity has been the changes to listing rules for certain categories. Like many, I used the ‘free’ optisource tool to check any listings I have for compliance, none found. Was the security breach to do with opitsource? What access was given to our listings to check the compliance with listing rules? Was the PayPal address knowingly or accidentally exposed and released? It seems the compliance check only worked by searching listings on the basis of a logged in user within the account rather than as an external examination of a listing as you would do as a buyer. Was that a backdoor to the PayPal addresses? Again, given eBay have failed to reveal any information it will be down to the serious fraud office to investigate more angles within the corporation and any contractors associated with eBay. Big job, but this is a big crime. eBay’s statement that they will assist in full with any police inquiry will be fully tested.
“If you wish to pursue this matter further, I suggest you report this incident to the police. eBay will gladly help the police with their investigations if needed. Please ask the investigating officer to email us by using the ‘report information to eBay’ link on the following page:
EBay Inc. (NASDAQ: EBAY)
Can anybody point me to an eBay RNS where the company informed the market of the discovery of a significant security violation where pay to PayPal accounts can be altered without notice in individual listings? This would be market sensitive information and the intended action to take. Therefore eBay must have released some information to the market to allow investors to make informed decisions as to whether or not to invest in the company.
If they have not issued information about the discovery of the unauthorised altering of PayPal payment accounts, then they are in significant breach of listing regulations. That will be one for the FCA in London (0R3D EBAY INC EBAY ORD SHS ) and NYSE Regulation (“NYSER”) for EBay Inc.
It would have been so much easier for them to simply have stopped the security failure and compensated sellers in the exact same fashion they expect sellers to compensate buyers.
eBay has announced nothing, and no major/financial media have covered it either. Same goes for every other problem eBay has had and continues to have, which are numerous and ongoing. Not a peep about anything, EVER. eBay seems to be protected and there’s never any criticism whatsoever. eBay is like an inside job designed to keep the stock price from completely tanking as it deservedly should. Lots of funny business with this company.
Another things just occurred to me and is worth taking note.
I seem to have magically just got access to my policies and just looking at the hundreds of old ones with no listings associated.
BUT then I wondered if there was one for every country – ebay platform.
I know of old that different ebay platforms have different “WAYS”. You could do some things on the old Irish (IE) ebay site that you couldn’t with others, that WOULD affect international sales in different ways.
Another thing I used to have to try and do was stop packets going to pack stations in Germany.
If I did anything to the UK version on ebay.co.uk then it allowed packstations on the German one again. and I would have to do the German one all over again to block pack stations.
Anyway, best check all the platforms to see what’s lurking.
Should be a matter of changing the domain name end from “.CO.UK” to “.IE” “.DE” “.FR” etc etc
errmm, I literally have no idea what you are talking about! It seems to me there is a whole sub-world of eBay settings and methodologies beyond normal understanding. The scope for security violation seems infinite. Never mind, I am sure once the market news blogs on both sides of the pond have been inspired to dig and question, the serious fraud office have been alerted to the potential extent of the fraud and corporate blase, all will come good and I will get my £269 pounds back (added up the eBay data and it is more than my reconciling). Then I will go back to sipping my tea and smiling out of the window at the birds.
eBay themselves allow scammers to do whatever they want. It says on the money back guarantee policy, a buyer is not entitled to their money back if the item was posted to a third party before being posted back to the seller. Yet a damaged item has been returned to me, the buyer told me they posted it to a third party, got it back then posted it to me and eBay say I have to issue a full refund. If not they will give the buyer a refund themselves on the buyers request. I mentioned the money back guarantee and was told they will still pay out the buyer as the return was delivered back to me and a return sent back to the seller will get refunded by eBay. I also mentioned the buyer admitted to breaking the item so the condition had changed but was told the buyer will still get refunded. Someone has suggested I try an appeal with eBay and if they still will not pay me out to take eBay to the small claims court. Just disappointed in the whole thing.
It is against the money back guarantee for a buyer to return an item they have posted to a third party. In refunding the buyer they are breaking their own policies.
Ebay should not be allowed to break their own policies surely legally that can be challenged.
eBay don’t do enough to protect sellers. I am receiving abusive emails from a buyer. They broke an item, returned it to me and because I am refusing a refund are being abusive. I provided photographs of the item condition prior to dispatch and they are not happy I can prove the difference in condition to what has been returned.
Spoke to eBay about the abuse they said keep talking to the buyer. They were not interested in the abuse at all.
When I mentioned the condition of the return they just said refund the buyer. Someone needs to start regulating the likes of eBay so sellers have right. They just don’t care about the sellers.
The abuse is unacceptable. Ebay should be doing more to protect sellers from abuse.
As far as the return, try an appeal with ebay put all the photographic evidence forward. If ebay don’t refund you take ebay to the small claims court. A court would be interested in your evidence even if ebay want to ignore it.
I agree the sooner ebay are regulated the better.
How come the subject of the discussion has been neatly moved to quite a different topic. The original issue is still there and nobody affected or concerned is in the slightest deflected.
The 1 st poster claims the ebay account could be hacked at the ISP. Given the triple handshake in ebay data streams this would be impossible. In fact virtually every parcel of data has at least a double lock now since bandwidth and speed are so high the user barely notices the time for the double or triple handshake. Furthermore, they would never know which server port is being used with the ebay server and keep track of the changing nodes as traffic is automatically rerouted several times a second to handle traffic. ISP hacking is more conspiracy theory promoted by people who wear tin foil hats so that the CIA can’t read their thoughts.
I think the link is ebay themselves are the cause of a lot of issues on eBay. People should be allowed to talk about things happening to them at the moment even if they are slightly off the original discussion.
I agree with David.
Sellers should share the fact ebay are going against the Money back Guarantee and awarding refunds to buyers who have broken the rules of this policy.
Ebay should not refund if a buyer has posted an item to a third party, got it back and returned it to the seller. From what is being said the condition of return policy was also broken, they should return in the same state and condition received too.
Regulation is the answer to stop ebay giving refunds that breach their own policies.
I’m against over handed regulation of business but eBay has needed some sort of regulatory governance for years- it’s trodden on sellers for far too long.
I agree the user agreement with ebay is a legally binding contract. Ebay ignore parts of this agreement and give refunds to buyers that are unlawful. The Money back guarantee forms part of the user agreement, but sellers are not being judged by ebay on the rules they have set.
If a item is posted to a third party by a buyer then returned back to the seller for a refund, that is a breach of the user agreement and ebay legally should not take the funds off the seller.
External third party regulation or taking ebay to court on breach of contract are the only way forward.
This scam is currently happening to me right now & I call ebay every day to get put through to the Philippines and have to explain myself every time to be told “we will log with our fraud team and get back to you “I have spent at least 2-3 hours a day on the phone & go round in circles.The “fraud team ” are oblivious to thisand say theyhave never heard such a scam happening.Which is obviously from the research ive done there is hundrds of thousands if not over 1m been stolen this way.
The 1st day it was noticed paypal were informed aswell & again yesterday as they still not closed the paypal account down.I feel theyalso have a duty of care although its clear the issue is on ebay.
A full week has passed and every day at multiple times the paypal email address is changed on our listings.Of course we notice this & bulk change the listings back.Within an hour or so its back to the fruadulent email.
They must have some sort of software that can bypass ebay security as its the exact same listings that are changed.
We have 2 step on changed email changed passwords/ changed sername. We have even closed down all computers / turned off the internet and worked off a brand new computer on a complete different ISP to rule out an issue at our end.
Im not sure what to do as getting no help from ebay!!!!!!!!!!!!!!!!!!!
Sorry to hear that Steven
Do you have any 3rd party software (eg a listing tool by someone other than ebay) linked to the account? It sounds more likely that would be the weak point. According to what I read previously on this subject, a security reset and change of password on ebay wouldn’t remove such a program, so if that is where the problem is, you’re not removing it.
If changes get made within 1 hour, it’s too quick for phishing messages and new password breaches.
What is the easiest method to check if you have been scammed?
Depends on your level of sales
If you can cope with the volume, you could just open ebay and paypal, then look at the daily sales. You should spot anything missing. But if there are too many sales too deal with, use ebay business policies.
Thanks Gav for the reply, doing on a daily or weekly basis is not a problem, and I have checked my policies before to ensure I did not have any different Paypal accounts, but from what I have read, the scammers are smart and delete the policies and re-create them. I was really asking and perhaps did not make clear, how the easiest way to check historical which will be thousands of sales. I thought about exporting sales data from both ebay and Paypal, but its not easy to match, although could look at the last years sales valve on ebay and paypal.
Yes we revoked all apps aswell but they still got in so still not sure how they are doing it.
Its 100% some software whether it be a file exchange or something im not sure
I changed password & email and revoked all accesses again last night been 12 hours and no listing been changed hopefully this is them away or they have gave up as I was constantly checking every 30 mins if the listings were converted .
Ebay to have this in the listings easy to corrupt is beyond me seems they are not investing in security enough.Simple solution when a listing is created the paypal email address is locked in for that listing.No changes can be made.
If it’s not apps, do staff have access at work? Wouldn’t be the first time that an employee has stolen from an employer.
And I don’t think they’ll give up if they can still gain access. Would you stop trying if you were them? No. Maybe you’d wait a week til it was considered forgotten, then try again.
The idea though that the attack has to be fended off 24/7 with checks and resets is nonsense. Ebay should have a way to prevent payment detail changes. They should also know how the accounts are being accessed and warn people.