What happens to a hacked eBay account? Sometimes hackers will simply list a ton of high value goods in the hope a few will sell and they’ll get the cash into a PayPal account and run off with it before they are caught, but there’s a more sophisticated scam which a Tamebay reader has just discovered has been running on his account – a changed PayPal address for payments.
The reason this one is so hard to catch is that hackers who gain access to your eBay account may only change the PayPal address on a couple of listings. In this instance they cleverly chose listings of low value but with high sell through rates and created a new email address just one character different to the legitimate PayPal address that the seller used – hard to spot.
Having been perpetrated in January 2019, the fraud wasn’t discovered until July 2019 by pure fluke when a customer asked for a refund, by which time well over £25k had been diverted from the edited PayPal address on a handful of listings. It’s not just the income that’s lost. There’s also the thousands of pounds paid on eBay Final Value Fees, the cost of goods, the cost of packaging, the cost of shipping, the cost of staff to pick and pack and warehousing costs not to mention the VAT that’s been paid by the seller on these items whilst making a total loss on each sale.
PayPal have washed their hands of such a fraud. Once, when they were a part of eBay, it was the same customer service team that looked after both eBay and PayPal and the two were inextricably interlinked. Now they take one look at the PayPal account and naturally say “Well your PayPal account wasn’t hacked so it’s not our problem”. They won’t even confirm the amount processed from the eBay account through the nefarious PayPal account claiming GDPR and privacy won’t let them.
You might wonder why the seller didn’t spot this earlier and it’s a fair question. But when you are a multi-million pound seller getting hundreds of sales a day and using third party software to process orders you probably just ship what is marked as paid. There comes a level when it’s just not possible to reconcile every single sale with PayPal and you trust the software.
The seller had realised that their P&L for the past six months was somewhat disappointing, but had put this down to the ever increasing costs of selling on eBay – postal price rises, supplier price rises, increasing staff wages, increased competition…. with the cost of trading on marketplaces, not to mention new fees such as eBay Promoted Listings, it’s hard to spot a relatively small (percentage wise) but continuous drip of money into a hacker’s account.
This type of hacked eBay account is nothing new – there’s a case on the eBay forums of funds being diverted from a hacked eBay account from February 2018.
How do you protect yourself?
The first thing to do is keep your eBay account secure. Don’t share your password and and make sure that it’s secure in the first place. Two factor authentication is available for eBay (although it’s a pain in the neck to use, especially if you have multiple staff).
In the two cases cited above, it appears a hacker compromised the eBay listings. However we’ve heard of cases where sellers simply mis-typed their PayPal payment address and funds went to a non-existence PayPal email address.
Bear in mind that you need to trust your staff – an inside job would be the easiest of all scams to pull off although we’ve never heard of this happening they have access and the ability to change your payment email address.
This is a clear case where multi-layered eBay account access is called for. Whilst your staff are, one would hope, totally trustworthy it may have been one of them that clicked on a dodgy link in an email or visited a dodgy website inadvertently giving the hacker access to your eBay account.
Finally if your sales seem healthy but profits are down, instantly question why and start checking to see if the PayPal email address has been changed on any of your listings through a hacked eBay account.