One of the UK’s biggest retailers, Currys PC World, part of FTSE 250 company Dixons Carphone, has been hit by the eBay PayPal email address change scam over a weekend, with hundreds of consumers innocently sending thousands of pounds to fraudsters. The news was revealed by the Daily Mail’s This is Money.
We’d like to emphasise that this is almost certainly not Currys PC World’s fault but an underlying issue that eBay needs to address. Even though eBay have told many sellers that it must be their own employees, either stealing from their employer or inadvertently giving a hacker access by clicking on a phishing email, it is still eBay who have left it possible for an eBay PayPal email address to be changed by a hacker.
This is the first known instance of a large high street brand having their eBay account compromised in the eBay PayPal email address change scam which brings the known tally of losses to in excess of three quarters of a million pounds. The attack took place over the weekend of the 19th to 20th of October.
Hackers targeted listings of the new iPhone 11 and over the course of a weekend, around 600 orders were affected with the electricals retailer losing at least £111,000 in a little over two days, the total loss could be four times this amount – or around half a million pounds. Additionally, a fake eBay sign-in page appeared to be used to harvest people’s details.
Typical of the scam which has impacted dozens of smaller eBay sellers, the Currys PC World eBay PayPal email address had a letter changed from ‘[email protected]’ to ‘[email protected]’, making it difficult to spot by humans, although for computers it’s treated as totally different diverting funds into the hackers account.
“The Currys PC World eBay store is hosted by eBay with payments processed by PayPal. Over the weekend, the eBay store temporarily experienced issues affecting approximately 600 orders from our customers. This has now been resolved. We are very disappointed that this has happened and we’re working with eBay to investigate what has taken place. While we don’t host this website, we are providing affected customers with guidance on how to obtain a refund from PayPal.”
– Currys PC World statement to the Daily Mail
“The issue was resolved quickly and customers can continue to shop with full confidence. We are working closely with Currys PC World on an investigation into the matter.”
– eBay statement to the Daily Mail
“We are aware of this incident and are currently working to reverse any affected transactions. These funds should be in customers’ accounts over the coming days. If a customer has not seen their money refunded then they may need to raise an ‘item not received’ case via their PayPal account.”
– PayPal statement to the Daily Mail
Key here appears to be that the phones purchased weren’t shipped – otherwise it’s doubtful that Currys PC World would be getting their money back and would simply have lost their stock with no recourse… unless eBay treated them differently to the independent retailers who have found themselves in a similar position.
One thing is certain, eBay have a very serious reputational problem on their hands. They can’t simply trot out the same line telling sellers that they are at fault and need to secure their accounts. Advice that’s crept out has been to use business policies and 2-step authentication, but we’ve heard from some sellers desperately trying to secure their accounts that due to bugs they haven’t been able to set these processes up. In the mean time eBay seem powerless to stop PayPal email addresses being changed at will by hackers and sellers simply don’t have the tools to protect themselves.
If Currys PC World can fall victim to this eBay scam, there’s very little chance that a small eBay seller will have the resources to protect themselves. How long will it take eBay to identify the gaping holes in account security and put steps in place to ensure an eBay PayPal email address can never again be changed by a hacker?
20 Responses
Excellent reporting and coverage once again by TameBay and ThisIsMoney!
We’re waiting for the other shoe to drop when sellers here in the U.S start discovering they’ve been defrauded by this same exploit…
Our Tweet ? https://twitter.com/unsuckEBAY/status/1189166043027124225
someone hacked into my ebay business account and changed the payment email address to their own but only on 2 listings so went unnoticed and all payments have been rerouted to the fraudsters paypal account instead of my company paypal account and ebay marked the items as paid and awaiting dispatch so they were dispatched so the customer has received the product and the payments for the products purchased have gone into the scammers paypal account and not our companies paypal account. total of £20399 has been stolen the ebay report says I can’t believe this has happened I want this scammer brought to justice and I want my money returned. Ebay are at fault as this is an ongoing fraud that is happening to many sellers now I can see by googling it and they should have sent an email out to there sellers making them aware of this kind of fraud going on on ebay . they notified me last week that they thought a 3rd party had logged into my account but I want to know why did they only send me this message and block my account last week and not in july when I was hacked. instead the payments are just going to the scammer and ebay is marking the items as paid and putting them in the awaiting dispatch section and im thinking they have paid and everything is as normal. my ebay account name is sonnics and my company name is sonnics.ltd our paypal email address is [email protected] and they changed it on 2 listings to [email protected] I have checked this info for the domain bought somics.co.uk it was bought the same day they started taking my payments for my items I have just investigated so you have to pay with debit or credit card to buy the domain and give your details so there details should be there? WHOIS LOOKUP somics.co.uk is already registered* Domain name: somics.co.uk Data validation: Nominet was able to match the registrant’s name and address against a 3rd party data source on 18-Feb-2019 Registrar: Namecheap, Inc. [Tag = NAMECHEAP-INC] URL: https://www.namecheap.com Relevant dates: Registered on: 03-Jul-2019 Expiry date: 03-Jul-2020 Last updated: 03-Jul-2019 Registration status: Registered until expiry date. Name servers: dns1.registrar-servers.com dns2.registrar-servers.com WHOIS lookup made at 19:53:25 30-Sep-2019 — This WHOIS information is provided for free by Nominet UK the central registry for .uk domain names. This information and the .uk WHOIS are: Copyright Nominet UK 1996 – 2019. You may not access the .uk WHOIS or use
this has happened to many sellers since the beginning of 2018 yet ebay and paypal have not informed there sellers of this scam or have not taken any extra security measures to prevent it happening to any other sellers on ebay. they obviously don’t really care about there sellers and there marketplace being safe. They need to be held accountable and all of us that have had this happen to them need to come together and take action against ebay and paypal because they do nothing .
Blaming eBay for this is hilarious, misreporting to the extreme. The only person at fault here is the companies who have their account compromised and aren’t using proper.protection, in this case Curry’s
We have proper protections in place, Mr Smith. All avenues now point to this being an inside job within the UK or those restricted to eBay UK access behind the firewall. Nobody can protect against straight forward theft and fraud like that. The single level of protection that should have been implemented when first discovered was to send an email alert of a change of information. Why this was not already built in is a very serious question the money laundering investigators are asking. eBay maintains the field on the platform that directs where the funds should be paid to. It is not a third party matter and eBay will inevitably have to face the music on this. They are responsible for the maintenance of that critical data. The more they try to bury their heads in the sand the more it builds up. I suspect they have done listing searches and found a very extensive problem, and an expensive one to correct. I also suspect that they have not alerted thousands of sellers of inconsistencies in PayPal email addresses for sellers with multiple listings and it is THAT which is stopping them owning up. They know now who has been affected, they know now who is still being affected, they are failing to alert people and probably been failing for a couple of years. There is a hint they are trying a tactic of alerting a possible unauthorized access message, but not giving any details of the know changes eBay can see but fail to alert.They have a major incident here and with the likes of PC World being hit, will not be able to sweep this under the carpet any longer.
And Mr Smith, trying to sell the eBay line that it must be the account holders fault? Really? Are you paid to engage in some futile effort to try and spin eBay out of this? You are making a bit of fool of yourself trying to troll this one!
Time for ebay to suspend email address amendments and force some proper security measures onto users, even if that means holding up a passport and user ID on a video call.
It may well be the fault of the companies concerned for clicking on a link they believed to be from ebay, but it’s ebay’s reputation that is on the line, so you’d think they’d take it more seriously.
It does not need any wierd and wonderful security or two step verification.
It just needs any payment alterations to be suspended for 3 days until the buyer receives an email asking if they authorised the alteration.
But the problem is when the person has manged to compromise the persons information they normally have all their passwords and info on everything including their emails so ebay messages should be changed to enforce ebay messages from ebay are held on the system unable to be deleted for for the same period.
As a friend recently made the error of calling a number on his screen when his pc seemed to be locked and they helped him for over 2 hours .
Oh yes!! getting him to click here there and everywhere while of course someone was accessing all his data and passwords eventually resulting in his various bank accounts being emptied of all his late mothers inheritance over £70,000 a message came to his mobile saying did you authorise these payments 25 minutes later and he rang them instantly only to be told oh sorry its already gone.
fortunately he kept all texts and phone records and the banks are having to repay him as the money went to Nepal then elsewhere in just minutes.
The online authorisation was answered by the criminals.
But ebay actually have their own system for messages and so can be safer than that.
Maybe they will wake up now a big name is involved? You can bet your bottom dollar that Currys are kicking up a stink about this. Margins are thin and no body likes to lose money or be accossiated with a company that has a bad security repuation. The fear will be that buyers will percieve their money as being unsafe and will buy elsewhere.
Of course as usual the response from ebay is still muted…. juts the same old dribble that doesn’t go far enough. If the law stated they were liable for the losses though… they would be on it like an ant on a sugar cube.
I asked if it could be set so that i was notified by text if my payments address was changed… I was told that it wasn’t possible. Strange as several other financial places i use etc have all found a way. Hell even my browser tells me if i log in a from a computer it doesn’t recognise!
never really understood why payment email address was listing specific; why not just make it part of the account settings … you’d soon notice if no money was coming in!
(or am I missing something?)
Fingers crossed, I have not been targeted yet. Then again, I sell 10 items a day maximum. At the end of each day I check the money is physically in my Paypal account (and also to cross reference shipping addresses). If the money isn’t in my account, then nothing is being shipped.
For a big business this would obviously be very hard to keep track of. For this reason I think big sellers will think twice about selling on eBay until this problem is resolved.
Very simple fix, remove the totally unnecessary option of a different Paypal address on each listing. There is no reason I can think why anyone would need different Paypal addresses for the same user ID. If you were genuinely wanting to separate your sales income in this way, it would be better to create separate eBay accounts with their own unique Paypal address.
One reason why some companies would need more than one PayPal account is for those sellers that have a regular PayPal account and also have a PayPal Micro payments, as PayPal require the seller to have one a separate account for Micro payments…. Clearly not applicable for big businesses such as Curry’s.
I think the simple method is to have an extra option in the registration details, where you need to register your PayPal payment email addresses, which can only be changed and become live perhaps 7 days later….. But still if the hacker has all your details then it would be just another waiting game for the hacker.
Another benefit of registered PayPal accounts on the eBay account is that they could be locked and set as a default behind extra security features with a lengthy process to amend the details…. But when listing, you have a option or a drop down box for picking the payment account, if having more than one to choose from.
I use Linnworks and am lucky that they have the payment verification. You set your PayPal e-mail address in Linnworks exactly the same way as you do on eBay. If someone hacks into your eBay and changes it, an order would be downloaded with the wrong PayPal address and it would be flagged up and you would receive a notification. This order can then not be processed automatically. Unless they hack both your Linnworks and your PayPal and do the whole thing twice.
How do you check all your live listings to make sure non have been changed to a fraudulent paypal account?
Having the ability to run/download a report should give you peace of mind.
I was hacked two years ago. I reported the details to the police, who were powerless against paypal who refused to divulge the owner of the fraudulent paypal account.