The Daily Mail’s This is Money have investigated the £54,000 eBay fraud which Richard Crisp of Home Care Essentials became victim of and they too have hit an impenetrable brick wall with both eBay and PayPal passing the buck to each other when asked who is to blame.
You can read the original story here, but put simply scammers somehow accessed his account, bought new domains very similar to his and changed his email address with just one letter different to divert funds over a prolonged period of time. On day 1 of the scam just £11.30 was diverted, but add relatively small sums up over a long time frame and tens of thousands of pounds are syphoned off by the criminals.
Richard’s £54,000 eBay fraud is not a one off, another recent case we heard of saw a seller lose £15,000 before catching the fraud. Other cases vary from a few hundred to thousands and the most worrying aspect is we have no idea how widespread the fraud is and how many other sellers are still losing small amounts of money on a daily basis. The daily sums are small but the losses run into tens of thousands.
What are eBay saying about the £54,000 eBay fraud?
eBay haven’t been able to tell Richard how (or even if) his account was compromised. If we knew this we could give some advice on how to protect your account. Obviously if a different IP address accesses your account then this should be caught by eBay but what if the hack is being perpetrated via a third party tool? If the eBay account itself was hacked then surely eBay should be held responsible for the critical settings that have been changed? But eBay say that as they never received the funds they aren’t liable and recovery rests with PayPal.
What are PayPal saying about the £54,000 eBay fraud?
PayPal continue to say that Richard’s own PayPal account was never compromised and how were they to know that the fraudulent accounts receiving the funds weren’t legitimate? PayPal too have questions to answer such as how these fake accounts were set up in the first place and how they passed anti-money laundering checks. It shouldn’t be easy to set up PayPal accounts with fake details and use them to skim money from legitimate sellers.
PayPal however are saying that as the changes were made on eBay it’s down to eBay to put things right.
What are the Police saying about the £54,000 eBay fraud?
The local Police are unsurprisingly unable to assist and sent Richard off to report the crime to Action Fraud. It’s hard not to have sympathy with the local bobby as this is a sophisticated crime, almost certainly with fraudsters not in the UK. Action Fraud is a report, get a crime number and cross your fingers and forget type of service however.
What’s most galling is that this is treated as a victimless crime. It’s not. Richard has personally lost tens of thousands and is most certainly worthy of the Police doing their best to chase the scammers down.
What will stop this happening to you?
This is a scam that we have traced back at least as far as 2017. eBay and PayPal should both be aware of a case that came to light in early 2018. Both companies have had over a year to warn their users of the scam and to put steps in place to prevent it ever happening again.
It’s pretty clear that if someone is skimming funds from your eBay sales that there are unlikely to be any warnings forthcoming. You are also unlikely to be easily able to spot a different email address as it could be masked – the favourite is to swap an “l” for an “I” – that is a lower case L and and upper case i.
Bulk changing your payments email address on eBay is a solution that can help keep you safe…. although we have no solution on how to stop the hackers coming back in and changing the address again if they’ve access to your eBay account or a third party tool that can change the email addresses back again.
39 Responses
Action fraud is a placebo , that does little if anything, it just deludes folk into thinking there is help available
Nick 54 grand from the government and its lots of porridge
If its an Ebay seller and its almost their own fault for selling online
Surely Paypal would require Identity Documents for an account receiving £54K, or would those be Faked as well.
The only way to stop this is via eBay 2-Step Security, for which the scammers would not have access to the mobile to approve the login.
Would 2 factor authentication assist on ebay account so a scammer could not log in?
This would not stop if they hacked your 3rd party listing tool though as that is the API connection I assume.
I do hope that justice is served and Mr Crisp gets reimbursed. Would the server logs show IP addresses from when the PP email address was revised?
If I have read and understood correctly I think it is ebay responsibility and as a matter of urgency they should be implementing new security measures so that at the very least when a payment email is changed or an account email is changed then the account holder is notified.
Good luck getting it sorted.
If your account has been altered there is a good chance that it was down to your own security failings and may be down to your own system being hacked and passwords retrieved.
If it is due to that, whilst in the main it is your responsibility, eBay should have notifications to let you know of changes.
We should all set up 2 step verification using either the eBay app or text message
If it was a third party tool that has been used then that needs access to the account to grant the 3rd party tool access.
To check 3rd party authorisations:
Home > My eBay > My Account > Site preferences > Third-party authorisations
You should check and revoke any that you are unsure of.
Depending on how long eBay keep server logs will depend on if they have data for the day that it happened, if longer than 12 months.
Both PayPal & eBay will not give out information due to the data protection regulations. Only the police or a court can grant access, if the police do not do anything then a private court may, seek legal advice.
It is common for fraudsters to enlist gullible / greedy people to open accounts legitimately and take a commission for the money that goes through their account. In which case PayPal would not be held responsible.
If your using eBay business policies surely a new payment policy would be created when a different payment address is used. You should be able to spot the effected listings.
Unless any warning emails are sent with flashing lights and sirens
We would probably not notice them among
The trillions of regular emails
eBay need to set up staff accounts where access to settings is disallowed.
eBay is not suitable for business for this reason and eBay are to blame.
“eBay need to remove the Revision of Payment email from the API & only allow it on the site & as you reightly mentioned to email the account holder that this change has been made.”
Sounds like a very good idea!
@Jim Freezing the account could work but it would be by an email notification, which could be missed as per your previous comment.
How would it be confirmed? By email that you may miss? If the scammers have had access to your account it is possible for them to read the email messages, be it by logging in or a third party api.
@ crackerjackcommerce Why do they need to remove it, surely the question should be why is it there at all? Why do you need to have money sent to different accounts?
eBay should not allow it, but it dates back to a time when they were strictly an auction site, another thing they need to move forward with.
What some people seem to be forgetting is that to access anything on your account they need to be able to log in. Even a third party api can only be set up with login credentials..
eBay remind us to set up extra security every time we log in, we are the ones that are ultimately responsible for our accounts.
Couldn’t they just set up something like the banks have? You get sent a personal pin via the post. then you need that to authorise any change of payment details. Add to that, when they are changed you should be sent a text message etc that you have to confirm within a set period of time.
Nothing is perfect, but in ebay it is all just too easy.
My business was also hit by this scam in October 17 and we lost over 11k. We traced it back to a message sent though our ebay account with a link to one of our products asking for bulk pricing. The link took us to the login page on ebay (so we thought) which was actually a page set up to gain our password. After a long and frustrating time being bounced from ebay to Paypal and back again we finally managed to get the ebay Final value fees returned to us which was small consolation. If ebay had ‘two-factor’ authentication available which we use on our Amazon account then this simply would not have happened.
Thanks Tyler. They did not have this available back in 2017 though.
@ Andrew
we have had similar emails via ebay messages though we never ever personally click on links in messages
staff members might
surely ebay should block these links
@ DaveP Even trusted devices will kick you out randomly, this can happen depending on how long cookie settings are valid etc.
Unfortunately no systems work for everybody, for most situations involving staff a third party / custom application using the api will give them as much access they need or you nominate a trusted employee to handles such matter via an office smartphone registered with eBay.
@ Andrew I am sure you are right, these things are often introduced after a problem has come to light.
I was incorrect earlier regarding my login email address not being known, it is shown in the business details of all listings, so the whole world can see it.
We now check every transaction to verify the payment. Linnworks also filter orders that have not been paid for. Although we bear some responsibility for sharing our password (be it unwittingly) it is easily done when there are multiple users in the office and 50-100 message to respond to each day. A team member had an off day and we paid a high price for it.
The two-step verification that ebay have introduced is not user friendly. In an office full of people that require access we need a mobile phone that we all have access to. What happens when the person with the phone is out of the office? Barmy!
@Tyler Linnworks can check an ebay order to ensure that the payment has been sent to the correct Paypal account. If this account email has been changed then Linnworks highlight this as an unpaid order.
Hi Andrew, if you are using Linnworks have a look at: https://help.linnworks.com/support/solutions/articles/7000016844
You need to enable this feature by providing the valid Paypal address for your account, otherwise there’s nothing to check against. We have set this feature up and we have tested it and it has worked for us (although in a previous thread on the earlier article Victoria had said that it did not protect them). The order with the changed PayPal address comes into Linnworks as locked with the message that the PayPal address did not match.
Obviously we knew nothing about this feature whose launch pre-dated our fraud by 8 months. I have actually spoken to Linnworks about this feature today and they confirmed that it was developed to stop eBay sellers being hit by a fraud where the sellers PayPal has been ‘tampered with’. So how come if Linnworks knew about this exact type of fraud in August 2017 and had developed something to try and stop it why was eBay sat on its hands doing absolutely nothing about it?
It would be easy to say that Linnworks should have been more pro-active at alerting sellers to this feature but at least they were doing something and surely it should have been up to eBay to bring this type of fraud to the attention of sellers as soon as they were aware of it.
Thank you Tyler
At the moment we don’t know how it happened. In my initial conversation with eBay they told me categorically that my account had NOT been compromised and it was probably just a typo in the PayPal address. (obviously it wasn’t)
About a week later I was on the phone to eBay Trust and Safety in the US who told me that they did not class my fraud as an ATO (Account Take Over) which struck me as very odd. They refused to give any information about how the account was hacked ie. whether it was through the front end (password) or the back end. They told me that they would only give that information to ‘law enforcement’.
These 2 things make me suspicious that it was not someone gaining access to our password.
I have asked eBay to provide me with my account logs going back to Feb 2018 to see when my account was logged into and from what IP address. I have had to provide a couple of proof of ID’s but it looks like they are going to provide the information. This should show if the password was compromised or not.
Today, to demonstrate the fraud to a good friend I put his PayPal address in one of our listings. 15 minutes later we had a sale and Bingo he got the money and I got the paid order ready to dispatch in my eBay order screen.
Now bear in mind I had over 11,000 transations stolen and it has been written about by a National News Organisation do you think that the eBay Seller Protection who are ‘working around the clock to protect sellers’ might have alerted me to a PayPal address change to a listing of ours?
Nah of course they didn’t.
@tyler
I use staff accounts on Shopify which works well and have to trust staff on ebay.
I don’t agree that I should have to use a third party system because eBay should be adequate for purpose.
Why go around the houses worrying about 2 step verification when it could be solved with limited staff access.