We’ve been contacted this morning by yet another seller who has had their PayPal payment email address changed on eBay and in this case has lost in the region of £6,500.
With typical sales ranging from around £10-£35 and between 100 to 150 orders a day, it really isn’t easy to notice a couple of quid going missing here and there but over a month the sums soon add up.
What’s particularly egregious in this instance is that having spotted the fraud, the seller changed their eBay password, their PayPal password and their email address password at around 8pm yesterday evening. When they came back into work this morning they discovered the PayPal payment email address changed once again on a couple of their listings.
It’s easy to say that it’s the responsibility of the seller to keep their eBay account secured, but having changed all their passwords and not telling anyone what their new passwords were, how did the scammer get back into their account? What can sellers do to protect themselves if scammers appear to have unfettered access to their eBay accounts and the ability to steal funds at will?
We’ve been asking sellers which tools and services they use run their businesses, but in this case as in a couple of others the seller uses no external tools. That means it can not be an external tool which has been compromised and the hackers must have a method of accessing eBay directly (or indirectly via a method that a password change won’t put a stop to once the account is compromised).
Whilst we believe PayPal have questions to answer such as how on earth the accounts receiving the stolen funds are passing European Anti-Money Laundering checks, we believe the responsibility for stopping the fraud where sellers discover that a PayPal payment email address changed and funds diverted into a scammers PayPal account.
There also needs to be some much stronger collaboration between eBay, PayPal and the Police. Currently PayPal are (rightly) blaming eBay as it is on eBay where the PayPal payment email address changed. eBay are shrugging their shoulders saying that as they never had the funds the seller should work with PayPal to recover them. The local Police are powerless and simply direct sellers to Action Fraud. It’s time that when a fraud is reported that eBay use their connections with law enforcement to actively report the cases themselves and give the Police every assistance in tracking down the culprits and for PayPal to assist and if possible track down and recover the funds.
There’s also the question of innocent consumer’s personal data. Tens of thousands of consumer’s names, home addresses, email addresses and a record of a recent purchase are sitting in scammers’ PayPal accounts. What’s to stop these scammers sending out a phishing email saying “You bought that, you might like this?” in a double dipping scam?
eBay need to take decisive action now. They rolled out a seller release yesterday, but if sellers can’t have confidence that they accounts are secure then all the seller releases in the world won’t stop them leaving eBay, either because they lose faith in the security of the marketplace or simply because they lose so much money they go bust and are put out of business.