Today we are calling on eBay to make one simple change to their marketplace which will stop the PayPal payment email address scam ever occurring again. Make the PayPal payment email address an uneditable field once a listing is live.
I have spent the morning on the phone talking to three more eBay sellers who have been defrauded in the eBay scam where accounts are being compromised and funds stolen by altering the PayPal payment email address in order to divert proceeds from sales. The three sellers in question lost sums of £45k, £8k and £11.5k. This brings the total losses we’ve identified to over a quarter of a million pounds and that only takes into account just over a dozen individual sellers who have verified their losses with Tamebay.
The average loss is in the region of £15,000 per seller and all the affected sellers are scrambling to figure out how to secure their accounts to make sure it never happens again and it’s proving almost impossible. It doesn’t matter how much checking you do, and it’s pretty impossible to check your listings regularly even if you only have a couple of hundred.
Once suggestion is to use Business Rules to set your PayPal payment email address, but even this isn’t fool proof. What’s to stop someone with unfettered access to your eBay account from popping in, changing your payment address to theirs for an hour a couple of times a week and then changing it back to the original PayPal email address hoping you won’t notice. You might notice an additional Business rule but eBay currently won’t notify you that the PayPal payment email address has been tampered with and then restored.
Being unable to edit a PayPal payment email address may be inconvenient for a very small number of sellers who change their email address or PayPal account in the future. It will force them to end their listings and relaunch them with a new PayPal payment email address. That’s a small price to pay to know that when you get a sale the funds won’t be stolen. It’s a lot easier to spot that a criminal has launched a load of new listings on your account than it is to notice that they’ve inserted an ‘I’ where previously you had an ‘l’.
In any case, this is a temporary measure that will only last until eBay Managed Payments roll out which is scheduled to be completed within the next two years. In the mean time it is vital for eBay to assist sellers to keep their payments secure and stop funds being gifted to criminals. If you think the inconvenience of having to end an eBay listing in order to change the PayPal email address is a price too high to pay, let us know in comments below… but it’s cheaper than discovering you’ve lost an average £15,000 to a scammer.
Please eBay, make the PayPal payment email address a field that can not be edited once the listing is live.
15 Responses
if they’re going to make a change, make the paypal email at an account level, you only have one.
if it changes you get an email, and just in case you miss that ALL your money will vanish, so you’ll notice pretty quickly.
Bad idea. Just have a notification if it changes, it’s not hard to implement, surely? And what James said, one email for the whole account, is sufficient.
@ Ian, I agree. a simple notification to the account holder should suffice.
As Ian has said, a notification/verification if it changes, would be a strong deterrent.
Also, put a delay on the change and make it impossible for the email address to be changed more than once in a certain period of time unless contacting ebay or paypal.
They should just intoduce 2 factor when changes are made via Google or apps like authy. Not like what they have now .
As well as an email conformation link. Pretty basic stuff.
Even just to visually inspect the email address would be possible if they changed the font for the email address e.g. to Times New Roman, or another serif font, as upper-case ‘I’ and lower-case ‘l’ would actually look different. I often have top copy postcodes into Notepad just to see what letters they are actually using as Notepad uses the Consolas font by default that is no mistaking what letter it is.
Email notifications of changes should be the very least implementation.
There should be 1 email per eBay account, any changes should be confirmed by 2FA.
What if you use Micropayments as 2nd way of getting paid ??
5% + 5p instead of 3.4% + 30p ?!?! which is more cost effective for up to about £9.
“Being unable to edit a PayPal payment email address may be inconvenient for a very small number of sellers who change their email address or PayPal account in the future. It will force them to end their listings and relaunch them with a new PayPal payment email address.”
Are you serious? Not being able to change paypal email address on existing listings is a very bad idea.
There are many reasons why a seller would want or indeed need to change their paypal email and having to end listings with good visibility because of long standing high sales would be more than “inconvenient”.
As others have said, a simple notification or two step verification requirement when a payment email address is changed would suffice .
We have come across some fraudsters that are sending multiple ebay links through ebay messages to ask for volume discounts and sometimes these contain phishing links to imitate the ebay login page to obtain your login details.
Ebay seriously needs hierarchy level logins with 2 factor security. Payment policy features need to be rolled out to all ebay accounts so that payment email addresses should only be centrally controlled by account owners. This will eliminate this kind of fraud. This will also take care of multiple paypal addresses for Standard/Micropayments, staff users can only select from existing payment email addresses through a selection and cannot add or edit on a listing page.
This way if a staff user’s ebay login gets compromised, the super user account or owner is unaffected.
Hierarchy level logins appears to be low on ebay’s development priority list.
Due to PayPal’s recent change, we had to do just that, on several thousand listings.
We now have (with their permission) two PayPal accounts – a “normal” one, and a micro-payments one for low-value items which would otherwise have been hit hard by the fee increase.
My preference would be to make it so that the payment address is only editable if it’s one generated through Business Policies (i.e. listings made as one-offs could only have the payment address edited if you first revise them to be added to a Business Policy). Then make it so that creating or editing a payments Business Policy is activated only after you either confirm via a link in an email or via a one-time passcode to your mobile.
That way, you don’t lose a notification email in the tide of other spam they send out, and a change could only be made by a criminal if they have also compromised your email and/or mobile phone. Not impossible, but if all those things are compromised, you’ve got a lot more serious issues to deal with !
Chris said “It will force them to end their listings and relaunch them with a new PayPal payment email address.”
Ending a listing would mean loosing the Listing’s Sales History. Unfortunately not a good idea. The previous amount of items sold shown in each listing is very important to me. If you ended the listing and then made a new one, then the Sales History would be lost – back to Zero Sold and years and years of hard work lost.
Chris Dawson “Really? How often do you have to change your PayPal payment email address bearing in mind that you can have multiple email addresses on a PayPal account?”
I didn’t have multiple email addresses and had to change it twice recently – thank you for asking.
Second time was for micropayments. I then changed the Paypal email address for 95% of my listings. If I had been forced to end the listings I would have lost the ranking/visibility/sales history/repeat orders that have taken time and effort to achieve.
ebay need to take action to stop this theft, but there are better ways than preventing a seller from changing their email on their own payment account.
Some sellers may not be aware of the fact that this scam will not work when using a third party order processing tool like Linnworks.
The registered paypal email addresses that you use are added into the channel setup. If an order arrives with an email address that is different then the order is flagged and marked as unpaid. Still a bit of hassle to deal with as there is going to be an unhappy customer however at least no goods or money should get lost.
I expect you will be immune from poor feedback and you cannot be faced with a paypal claim.
It may be worthwhile checking if your third party tool has this feature and if it needs to be enabled.