From overpayment to shipping scams, what are some of the most common threats that merchants using PayPal should watch out for?
With a total payment volume of US$247 billion, PayPal remains one of the more popular online payment providers among major brands and a variety of smaller businesses and vendors. Indeed, the payment giant boasts 28 million registered merchants on its platform.
However, compared to major, big-name companies like Sony or Microsoft, smaller vendors, especially those that sell items as a sideline, don’t have the luxury of having a whole army of cybersecurity professionals manning their cyber-defenses. As a result, smaller vendors are a lot more susceptible to various forms of fraud and cyberattacks that threat actors can fling their way.
One of the popular scams that vendors will have to contend with are overpayment scams. In this scenario the crook masquerading as a regular customer will send a PayPal payment that is more than the price of the product or order. They will then notify the seller that they made a mistake and sent more money than they were charged and ask the merchant to wire them back the difference. Once that has happened the scammer will then contact PayPal and file a grievance citing various reasons such as that the product delivered was of inferior quality or that their account has been compromised and they didn’t purchase anything. In the case of the latter you might lose both money and goods if the scammer becomes eligible for a full refund
Alternatively, the cybercriminal may very well have used a compromised PayPal account or credit card. If and when the account/card holder realizes that there has been unauthorized activity on their accounts, they will report it, and you will lose the product you sent and the payment as well as incurring the shipping costs.
Mistakes do occur from time to time, but in the case of overpayments it’s better to err on the side of caution. More often than not, overpayment may be a clear sign of fraud, so your best course of action is to cancel the order.
Is it – or is it not – delivered?
There are various forms of shipping scam tactics that fraudsters use, all of which have one common goal – to make a dent in your wallet. For example, a scammer may try to convince the seller to use the scammer’s shipping account because they can get a discount or offer a better price than one of the usual delivery services. However, if a seller agrees to that, the crook can easily ask the shipping service to reroute the delivery to another address; this allows them to open up a complaint and claim that the goods were never delivered. The vendor doesn’t have proof of delivery and that means that they incurred a three-fold hit to their wallet – they are out of the product, paid for the shipping fees and have to compensate for the lack of delivery, although they in fact, did send the product.
RELATED READING: PayPal users targeted in new SMS phishing campaign
Another common tactic is rerouting scams where the fraudster intentionally gives the wrong shipping address, and patiently surveils the online tracking information. Once the shipping company adds a tag that the package couldn’t be delivered, the scammer contacts them with their “correct” address and receives the product. Since there is no proof of delivery, the same scenario unfolds, and the seller gets a triple whammy.
To protect yourself from these kinds of scams its best to stick to your shipping account and avoid transferring money to someone you don’t know. You should also always ship the product to the address that the buyer stated on the Transaction details page. Additionally, you can contact your shipping company and ban the buyer from rerouting any deliveries.
Good ol’ phishing
With PayPal being one of the most-spoofed brands in phishing scams, it is quite possible that a seller may become a target of one. One common scenario that may occur is that the vendor will receive an email informing them that their PayPal account has been suspended, which may cause them to panic if the account is one of their major sources of income. The email may cite various reasons including that there has been unusual activity on the account and for all intents and purposes the email may seem legitimate, having all the bells and whistles needed to pass off as the real thing. For the seller to get their account up and running again, they’ll have to complete the steps outlined in the fraudulent email, which is usually a ploy to steal sensitive data and account credentials. If the target falls for it, the scammer will get their grubby hands on the email address, passwords, and maybe even more, or alternatively the email may include a link that will download malware onto the victim’s device.
It’s always best to scrutinize any unsolicited email you get, especially those that appear to be customer service inquiries. If you have doubts, you should always contact the company directly through the official contact forms on their website; better safe than sorry. Using a spam filter and a reputable, up-to-date security solution should protect you from most phishing threats too.
While this may not be an all-encompassing list of the various scams you can stumble upon as a seller on PayPal, they are some of the more common ones, which will give you a general idea of what to watch out for. The most important thing is to remain vigilant and have a healthy amount of suspicion if something out of the ordinary occurs. The best advice would be to always verify anything and everything that might raise your eyebrows in suspicion, be it a special request or an unsolicited email.
written by Amer Owaida, ESET We Live Security