Here Are Some of the PayPal Scams You Should Be Aware Of
According to regulatory filings, PayPal recently had about 237 million active accounts. That's 237 million people that transfer money through a single platform. We don't really need to tell you that all sorts of criminals want to scam as many PayPal users as possible, do we? How do they do it?
There are so many different schemes involving PayPal, that listing them all would take weeks. Roughly speaking, we can divide the threats into two types: the ones that happen when you buy and sell things online, and the ones that involve compromising your account.
PayPal scams that happen when you're selling and purchasing items online
There are many dishonest people on the Internet. You have probably heard this already, and so has PayPal. Because so many people use the platform to pay for things they buy online, PayPal has had to set up certain protection mechanisms for both sellers and buyers.
In fact, the world's biggest online payment platform has invested a lot of time and money into making sure that the rules are tight and the scams are a relatively rare occurrence. Unfortunately, scammers tend to be quite clever, and every now and again, they manage to find a way around the regulations.
Although the number of stung people isn't very high, you need to be wary of the dangers associated with completing sells and purchases through PayPal, regardless of whether you're a buyer or a seller. Shop only at trustworthy merchants and make sure that you're familiar with all the terms and conditions. If you're selling things, take the time to read through all the fine print associated with PayPal's Seller Protection Program. Your money is involved, so, as unpleasant as it is, diving into the legalese could be well worth the effort.
Attacks that result in a PayPal account hijacking
These are much more likely to affect you. Pulling off an account hijacking attack is easier than trying to scam a person out of their money during an online purchase, and criminals love it because once your account is broken into, there's little to stop them from making off with your money. What's more, more often than not, their attacks are aimed at a large number of people which means that they can amass many different accounts with minimum effort. They have several ways of doing it.
- Guessing users' passwords. Are you using "abc123" to protect your PayPal account? We hope not, because if you are, you are exposing yourself (and your money) to a huge risk. Simple passwords can be broken in seconds. Too many people are still using them, and the crooks find it easy to guess them. Sure, there's a limit on the number of login attempts that can be made from a single computer, but the crooks have gone around this by infecting a large number of PCs and creating botnets that are specifically designed to test many different usernames and passwords from different IPs.
Even a complex password might not be enough to protect your account if it's reused. Let's not forget that while compromising PayPal's systems and stealing users' passwords is unlikely, hundreds of smaller websites get hacked every day, and gigabytes of sensitive data is leaked. If your PayPal password is used on other accounts, you could find yourself waving your hard-earned money goodbye.
- Phishing, Smishing, and Vishing. Of course, criminals won't need to guess your password if they know it already. If the crooks are good enough, they can trick you into revealing it yourself. Phishing, smishing, and vishing all do the same thing: they use social engineering to get your username and password out of you. Phishing happens through emails, Smishing (short for SMS phishing) is done via text messages, and vishing (or voice phishing) involves a phone call. While we have seen vishing attacks, the classic phishing and smishing schemes are far more popular with scammers. These are the mechanisms we're going to focus on today.
How social engineering works
The crooks' ultimate goal is to redirect you to a fake website that looks identical to the real one (in our case, https://paypal.com). To bring your guard down, they craft the emails and texts to invoke immediate action. The subjects and bodies of the messages suggest that there's an unauthorized charge or access to your account, and to remedy all this, you need to click the provided link and log in. They hope that you will do as instructed, and you'll fail to notice that you're led to the wrong website.
The fake login form looks just like the one on the real PayPal home page, and the criminals often use sub-domains to make the URLs look as close to the original as possible (e.g., www.paypal.com.signin.phishingdomain[.]com). Because you're in a hurry to sort out the unauthorized charge, you're quick to enter your username and password which are then sent to the crooks' email. It's a brilliantly simple, yet very effective way of harvesting people's sensitive information, and it's evolved quite a bit over the last few years.
Hackers learned how to spoof the sender's email address which means that even if it looks like it's coming from an @paypal.com account, the message might still be fake. The emergence of URL shortening services allowed crooks to make their links look less suspicious, and while they are hardly Oxford graduates, some of them at least improved their English grammar.
That said, if you look closely, you should be able to spot that something's not quite right. Since the phishers usually use giant botnets to send the waves of scam emails, they can't tailor each message to its recipient. As a result, the email or text will likely start with something like "Dear Client". PayPal has your name in its records, and legitimate communication from the company will always address you by it.
Frustratingly enough, some people continue to stubbornly ignore the threat of having their PayPal credentials phished. Excuses like "It won't happen to me" or "I'm savvy enough to differentiate a phishing email from a real one" are way too common, yet the number of people who fall victims to phishing and smishing scams every day is huge. Although there are mechanisms in place that might give you the chance of getting your money back in case the worst happens, the headache is considerable, and keeping yourself safe is actually not that hard.
When an email tells you that you need to log in to your PayPal account, simply open a new browser window or tab, type PayPal.com in the address bar, and hit Enter. That way, you'll be sure that you're giving your login credentials to the right website. A few seconds and a couple of keystrokes can really make a difference.