Yet another eBay seller has come forward to add their name to the growing list of small businesses who have lost money in the eBay scam where their PayPal email address has been changed to a fraudulent email. Once again we’ve seen an ‘l’ changed to an ‘I’ (that is a lower case ‘L’ changed to a capital ‘i’ meaning it’s virtually impossible to spot. Whilst a computer sees it as a totally different ASCII character, to the human eye they are indistinguishable.
The first Neil of Oh Sew Crafty knew of the scam was an email from eBay saying that their account had been accessed suspiciously and he needed to change their password. On changing their password and accessing their account they tried to revise a listing which then flagged a red message saying your accounts locked please contact eBay. This was when they were told their account had been hacked and they needed to change their email address. Having done this they were told they needed to speak to a higher department in eBay who told them that around 100 of their top performing listings (out of 8,000) had had the PayPal email address changed and they’d lost thousands.
eBay refunded all selling fees for the fraudulent listings but refused to compensate for the lost revenue and as usual told Neil as PayPal handled payments it was down to him to chase them.
You might ask how Neil didn’t spot that £30k went missing in a six month period, but he took out a PayPal Credit cash advance around the time the fraud started and attributed lower than expected cash flow due to the repayments.
How can you keep your account secure from the eBay scam?
The big complaint Neil now has is that he doesn’t know how to keep his account secure. eBay appear to have no idea how eBay seller’s accounts are being accessed and have told multiple victims that there are no unauthorised logins. However they have told Neil that they are working behind the scenes to fix this fraud, which is probably why sellers are now being informed by eBay and forced to change passwords before they discover the eBay scam themselves.
The best advice eBay could offer Neil was to revise the PayPal payment email address on his 8,000 odd listings manually on a daily basis. Due to bulk edit limits of 500 listings and the time it takes for a bulk edit to process, this is easily an hour or so’s work each day. Plus there’s nothing to stop a hacker going back in five minutes later and changing listings back to a fraudulent address once again.
The other advice that eBay have given is to use two factor authentication on your account – this is a nuisance if you have a couple of employees and almost impossible to manage if a larger number of employees need to access your account. This eBay scam highlights the need for robust employee log ins with limited access rights which sellers have been calling for for years.
“If eBay had warned sellers of this scam I’m positive we would have picked this scam up a lot quicker and the loss would have been a lot less. eBay have a duty of care towards their sellers and keep them informed of all potential scams so we can be more self aware. For to long eBay have been to worried about buyers on eBay and have neglected sellers. We’re glad Tamebay are highlighting these scams and trying to hold eBay to account and force them to take action.”
– Neil, Oh Sew Crafty
If you use file exchange, on ebay, then you can change all your listings email addresses quite easily from a csv import.
I don’t know why ebay isn’t advising this method.
Maybe ebay have found that there is a trick in either URLS or a file exchange upload that can circumvent their “security”.
I am sure time will tell but at a cost.
forgot the link.
Not everyone will have access, but you can request it from ebay.
Create a download request which can take minutes to many hours.
It gives the Ebay ITEM ID or every item in your ebay account.
You then delete all the non relevant information and add the Paypal email address and upload it.
This quickly changes all the listings contained within the file.
It shouldn’t take people having to understand the archaic structure and guess work, but it does work.
ALWAYS test a few listings before doing a bulk load though.
You are correct in that you cannot retrieve the paypal email address BUT you can set it.
I am sure in the olden days you could download that information, but certainly not now.
For a test, I just created a new ebay listing.
I then uploaded a CSV file to ebay UK file exchange.
It changed the paypal email addressed.
Action(CC=Cp1252) SiteID ItemID PayPalEmailAddress
Revise UK 2XXXXXXXX796 [email protected]
Above is a copy and paste.
4 columns are all that is needed.
I can’t for the life of me rememebr what the CC=Cp1252 was for but trying to get your headspace right for a file exchange was VERY frustrating.
Anyway, I shall email a screenshot to @Chris so he may put it up if he wants to.
As per previous post.
PLEASE PLEASE test on a few item first and then do en mass.
I am not high tech at all but inadvertently managed to alter my own email / paypal address whilst doing a listing – only a slip of the finger but this carried over onto subsequent listings in that period – only discovered when that item was sold and payment could not be traced – i cannot understand why the error did not flag up immediately -it should be something only changeable in secure account details and resubmitting password to change – if you want to delete an item you have to resign in – the paypal account number should be the most secure aspect and therefore less able to be hacked-why ebay have not tightened this asoect up before is a complete mystery
You can see if you are a victim by clicking the link below
All your policies are on there.
Under ‘Type’ look for ‘Payment’
If you only have one email address, there will only be one there…you haven’t become a victim of this.
If you have had any changed to a different email, it will show as a different payment policy on the list with a (1) or (2) at the end.
Forgot to say, at the right, it will show the number of listings that have been changed if you do find additional policies. Clicking the number on the right will show you exactly which listings.
Also, if the number of listings on the default payment policy is the same number as the items you have listed, there is nothing to worry about.
I was 1 listing out but that is because the page seems to take a while to update recent (past hour) transactions.
If eBay knew that account had been hacked – they should refund in full.
I’m a tiny seller and haven’t been affected by this so I don’t know the legal situation but surely with there being numerous businesses that have lost thousands of pounds it would be worth them getting together and taking ebay to court to try and get their money back. If they shared the costs between themselves it wouldn’t cost them a fortune.
Many thanks, but I created the listing separately, just so I could test the file exchange approach worked.
I could have changed one of my existing listings, but didn’t want to mess with those.
I got exactly the same as you.
I phoned ebay to ask “what now” and they said it was a specialist team and they would get back to me.
Nothing so far.
I also asked for a csv file or excel so that I could check all the paypal email addresses. Sadly, nothing received so far.
I turned on my 2 factor auth a few days ago.
I logged into ebay this morning and it said that it had sent the code to my mobile.
One hour later, nothing after several attempts.
I gained entry another way, and then turned it off.
I tried the app and using that way which so far has worked.
Ebay don’t like to make it easy.
Well, for the actual account holders, anyway!!
I have setup two-factor Auth on both, eBay and PayPal. Yes it’s a pain if I need to log in and await the temp txt msg and enter it. After all it’s my business where I make money (eBay) and where I keep the money (PayPal). Simple as that.
Regarding two-factor and multiple employees etc. It’s cheaper to buy one dedicated company phone than be out of pocket for thousands.
Different topic as to why eBay still requires us to define a email address per listing and not per account. That scam would not exist then.
Comments are closed.