We’ve heard back from Tamebay reader Iain who was one of those who feel victim in the eBay scam when a fraudster changed his eBay PayPal payment email address and at the time he lost around £8,000. Now it’s happened again.
Since being scammed the first time, Iain badgered eBay to help him set up payment polices but in themselves this is still not a secure option. It’s all too easy for a scammer to change the policies for a couple of hours and then change them back making it hard to notice the money dribbling out of the account as it’s not continuous.
Having just come back from a week’s holiday, Iain did a check and sure enough a new payment policy has been set up on his eBay account, although when spotted it wasn’t assigned to any listings. After a call to PayPal he discovered that there is a balance on the fraudster’s PayPal account so his worst fears have been realised – it looks like he’s being scammed again.
Naturally PayPal won’t divulge how much is in the account so Iain is waiting for eBay to supply a spreadsheet of transactions where the payments were diverted. On the plus side, this time around it’s only been running for 10 days at worst so losses will be limited. The question now is what method can be used to retrieve the funds from the fraudster’s PayPal account and return them to Iain, or will they end up simply being paid out to a fraudster as has happened in the past.
It’s worth noting that Iain has not been using 2-step verification – there are 7 employees who work on his eBay account and sometimes they’ll be at work before him and sometimes he needs to work from home in the evening. A text message to authenticate every log in simply isn’t practicable as it will only go to a single mobile phone and it can’t be in two places at once.
Today Iain has been looking at the possibility of ignoring text message 2-step verification messages as they come in as it’s then possible to request access to the account via email, but the option to do so appears to be missing when he’s tried to log in this way.
It’s fair to point out that we stopped writing about this eBay scam when readers stopped contacting us to say that they had fallen victim which tends to suggest that eBay have got a grip on the problem. We were being contacted daily, sometimes multiple times a day but Iain is the first to contact us for three weeks.
We’re hoping that this is a one off but it does demonstrate that it’s still possible for sellers to be compromised. If you’re not already using 2-step verification on your eBay account we would strongly recommend that you do so. Full instructions on how to set it up are available here.
12 Responses
Two tips:
You can automatically forward text messages through an online third-party client. Just add the mobile numbers of those staff you want to access your Ebay account. It’s easy to add or delete individual workers’ numbers to the client as required.
Have the both the Ebay and Paypal apps on your phone, and just compare sales on the Ebay app with income on the Paypal app. If every business seller did this two or three times a day (takes 2 mins at most) and enabled two step authorisation, the pickings from this type of fraud would be so slim that the problem would quickly become minimal.
And smaller sellers should be checking their Paypal account after every “ka-ching”. It’s not rocket science.
This type of fraud hasn’t happened to me, but if it did then I’d discover it straight away because I check my Paypal account before I post each item. Apart from anything, sellers should be doing this in case a buyer has included a message with their Paypal payment.
And if it did happen, I would be tempted to just notify the buyer that I hadn’t received funds for the item, and suggest the buyer take it up with Ebay. I’m pretty sure that the buyer be able to get a refund from Paypal. I’m not a lawyer, but I’m sure that if a fraudster had manipulated the credit card system, such that the vendor didn’t receive the money, and then sent a convincing “payment confirmation” email to the vendor, that vendor wouldn’t have any legal obligation to supply the customer.
Add two step and forward your texts to a mail client through a phone app. That’s what we do it works fine.
Only issues is eBay’s 2 step is awful and regularly breaks for us meaning we have to turn it off periodically, they texts just don’t come through and when we disable and re-enable we get an error in the admin for a few hours. So it’s far from perfect, perhaps due to the number of requests we are sending as we have quite a lot of staff.
Unfortunately it may be a question of not hacking but staff divulging information allowing access.
In a recent industry assessment of security the ebay account hacking was shown to actually not exist. The information showed all access had been granted through phishing emails or messages.
eBay need to set up a system for payments to just one person as even staff do not need to alter that.
We lost over £9K on this scam over the course of about 7 months. Since enabling 2 step verification and periodically refreshing payment policies we appear to have cut access from the fraudsters.
I think it is disgusting the way EBay have handled this. They have denied all responsibility and blamed the sellers personal security as the issue.
Simply put, without 2 step verification, your account is NOT safe!
On other platforms 2 step verification is mandatory. However, due to EBays out of date, archaic system, users are forced to share a single account. This means without workarounds the 2 step verification is just not a feasible option. Not to mention any internal staff having complete access to all elements of the account including payment policies and account information!
The best current workaround for this issue is a text forwarder on the registered phone. Any other users can be added to the list and all will receive a code when requested. This does however get complicated when you have multiple employees that log from different locations.
In summery, EBay are a joke at the moment. Pushing all accountability onto the seller and taking no responsibility for their poor system. Between this, the current outages, plus the current issues with sales stats not being logged, i am very unhappy with their service and I’m beginning to wonder why we pay such huge selling fees.
Also, as our sales data shows a big EBay drop and a rise in Amazon and personal site sales, I would say the poor performance is effecting customers too.
Is there not any reason why ebay can’t simply email and text you if your papypal address is changed? With my bank when i change anythingonline i get a message to tell me… Yes it may not be in stant, but surely if you discover a change even a day later, it helps stop the ‘trickle losses’ over several months.
I really don’t under stand why they don’t do this? I know it isn’t a perfect solution, but surely it is a simply but very effective one generally?
I do wonder why ebay doesn’t utilise the use of authenticator apps.
I use them for Amazon and other online situations, but ebay seem to have forgotten about them.
I had to try and turn off the 2 step again today on my personal account.
The text messages didn’t arrive and then, 3 at once, one saying that it had expired as it took half an hour.
Couldn’t use the app as that’s linked to my business account.
A PIA ebay.
How does one check for this fraud historically, given eBay’s 18 month reports limit?
Does anyone out there have any ideas? If I wanted to go as far back as 5 years and cross reference sales to PayPal email addresses I cannot find a way of doing this whatsoever.
Any help will be appreciated.
My hardworking 19yr old daughter sold an iphone xr 64gb on a site called depop and the payment went through paypal . The scammer asked my daughter to send it to her work address, she said she worked for Barnardos Charity. My daughter didnt think anything of it .The scammer put 625 into my daughters paypal account and it said pending delivery. My daughter then posted the very expensive iphone and sent a copy of the delivery receipt, as soon as she showed the scammer the receipt Paypal sent a message saying the buyer has been refunded.,so now the scum has got my daughters iphone . The scammer has messaged my daughter saying thanks for the phone and even said to mydaughter if she sends the scum nude pictures she can have her phone back.
Paypal will not help us at all, they said because my daughter sent the iphone to a different address from the paypal address they basically said my daughter was stupid for sending it to the ladys workplace. Her name is Raswana Kauser and she is inolved with a Rayyin Hussain and a lady named April and a lady names Megan Eve Kibble, they are all in it together. The Barnados in west bromich is where all the scammers are getting the goods delivered and the man I spoke to who works there said there are parcels arriving everday. Please be warned.
Please can anybody help us as it is so wrong .
Please be warned. Thank you x