Common PayPal Scams & How to Prevent Them
Table of Contents
- What is PayPal?
- How PayPal Scams Work
- Advance Fee PayPal Scams
- Verifying Your PayPal Account Scam
- “You’ve Been Paid” PayPal Payment Scams
- Overpayment Scams Using PayPal
- Spoofed PayPal Website Scams
- Charity PayPal Scams
- Order Confirmation PayPal Scams
- Smishing PayPal Scams
- What to do if You Get Scammed on PayPal?
- How to Detect a PayPal Phishing Email Scam
- By David Lukic
- Oct 12, 2020
PayPal is one of the top digital currency exchanges in the world. Nearly everyone has heard of PayPal and has used it at least once to receive or make a payment. Many online vendors allow payments through PayPal. The platform’s reach and trustworthiness also make its users enticing targets for PayPal scams and fraud.
What is PayPal?
PayPal operates as an intermediary between participating businesses and banks. By making purchases through PayPal, users avoid the dangerous act of giving their credit card or bank numbers to every site they shop at.
PayPal was founded in 1998 by Max Levchin, Peter Thiel, Luke Nosek, Ken Howery Yu Pan, and Russel Simmons, and was originally called Confinity. After its IPO in 2002, it became a wholly owned subsidiary of eBay, the community marketplace. By 2018, PayPal ranked 222nd on the Fortune 500 of the largest United States corporations by revenue.
All sales and purchases made through eBay go through PayPal. In 2005, PayPal acquired VeriSign to add to its e-commerce platform and provide security and confidence to its products and services. As of today, there are more than 360 million people with PayPal accounts across 200+ countries. That is a huge customer list providing plenty of targets for scammers on PayPal.
How PayPal Scams Work
PayPal, although very popular, is not the most secure payment service around. PayPal is well known, so that makes it easier for scammers to trick unsuspecting customers using phishing emails, malicious websites, fake social media ads, and spoofed links.
Since PayPal frequently sends out emails and text messages to its users. This allows criminals to study the platform’s style and tone and recreate it in their scams. This makes it harder to distinguish legitimate communications from cyber threats.
The scammer’s goal is to bilk money or personal information out of people. Everyone is at risk, including businesses, self-employed persons, and even individuals who only use PayPal for personal payments. Sometimes they want your username and password; other times, they simply get you to pay for things you never wanted. Some of the most common scams through PayPal are:
Advance Fee PayPal Scams
There are many variations of this one, some linked to “Nigerian Prince” or 419 scams, but either way, the result is the same. You receive an email claiming you won an absurd amount of money or a huge prize. The only catch is that you have to pay the shipping, taxes, or fees, and then your money will be delivered to you without haste. Of course, it’s a lie. In the process, the fraudsters may also collect personal information about you (name, address, phone number, driver’s license number, social security number, etc.) to use for identity theft later. Once you pay the fee, you never hear back from them again, and you were duped. They use PayPal to extort the funds from you because recouping lost funds is more difficult through this service.
What to Do and How to Respond to Advance Fee Fraud
First, if you receive an email that looks like it comes from PayPal, investigate the real “sender’s email address.” Unless it comes from paypal.com, it’s not legitimate. If they ask you to click a link, fill out any forms, or pay a fee, it’s a scam. Do not give out your information to anyone who requests it. Remember, if it sounds too good to be true, it probably is. No one gives you millions for nothing.
Verifying Your PayPal Account Scam
Again, there are different versions of this one, but the objective remains the same. You receive an email that looks like it came from PayPal (with all the logos and fonts just right), but it says there is a problem with your account, and you need to click the link to verify it or fix it immediately. You click the link and are taken to a fake website that mirrors PayPal, you enter your credentials or other private information, and now the hackers have it! Sometimes they promise to waive fees or other freebies to get you to click, but don’t fall for it; it’s a scam.
How to Avoid PayPal Account Scams
It’s important to note that if you see a link on the page of an email, that text can easily be faked and actually take you to an entirely other location. So, never trust the text you see. Instead, hold your mouse over the link to see where it really goes. PayPal will never ask you to provide your login credentials except on the login page. Sometimes to panic users, hackers will use language like “your account is about to be suspended” in hopes that you will click without thinking. Instead log into your account from a new browser window and check on things that way.
Other ways to Avoid PayPal Account Scams
- NEVER click links in emails, even if they appear to be legitimate. Go to your web browser and type in paypal.com and then log in to your account.
- Forward all spam emails that appear to be from PayPal to firstname.lastname@example.org so they can investigate and shut down the cybercriminals.
- Additionally, forward the same emails to the Federal Trade Comission.
- Never provide personal details or logins to anyone you don’t know.
“You’ve Been Paid” PayPal Payment Scams
Another popular type of fraud is when scammers send you an email that looks like it came from PayPal, saying you have been paid. You then ship out the goods and find that you were never paid for the item. Because PayPal does send out emails when you use the eBay system, they hope this fake will trick you into thinking you’re all set, so you ship without verifying. Now you are out the money and lost the item in the process. These types of data breaches occur more than you think.
What to do with PayPal Payment Fraud
Never ship out any goods before logging onto your PayPal account (from a clean browser window) and making sure you were paid.
Print the shipping label directly from eBay, so you don’t end up sending your valuables to a fraudster. Do not ship to any alternate address that they request through email. This is a big red flag that it is a scam.
Watch out for these types of emails. Look for improper grammar and always verify the sender’s email address to ensure it really came from PayPal.
Overpayment Scams Using PayPal
The overpayment scam is a whopper. PayPal outlines a typical scenario. You receive a spoofed email that says “that you’ve been paid $500 for a camera you listed at $300! The sender asks you to ship the camera in addition to the extra $200 you were “paid” by mistake. In this example, the scammer wants your camera AND your money, but hasn’t actually paid you at all.” Now you lost your camera and an extra $200. Don’t fall for this cruel trick.
Scammers may also initiate this scam by paying with a stolen bank account or card number. They will then ask for the refund to be sent to their personal account rather than the one they used to make the purchase.
Spoofed PayPal Website Scams
Spoofed websites are becoming more popular among cybercriminals. They've even surpassed malware websites in number.
Imitation sites are more of a tool and end goal than anything else. Targets are sent to them through malicious links from malicious emails or text methods. While there are methods to redirect a browser to fake websites forcibly, those attacks require a previous instance of breached security.
PayPal has a very unique interface and is recognized through just a few features. Those are the platform's signature shade of blue and the 'P' logo. If a website closely imitates these features, then most people won't notice.
The easiest way to know if you're on a spoofed website is to look at the URL. Scammers will use a URL that looks highly similar to the legitimate site, but it's always different. A common tactic is to change the top-level domain (.com, .org, .net, etc.)
However, knowing how to recognize suspicious communications will prevent you from ever visiting a fake PayPal website in the first place.
Charity PayPal Scams
PayPal scammers often create fake charities to steal money from users. This tactic is particularly malicious since it plays on people's empathy and good nature to defraud them. Charity scams often leverage emergency situations or tragedies like 9/11 to guilt their target into contributing.
Depending on the sophistication of the scam, fraudsters may even create a website and contact information for their fake charity. The scammer will link you to these channels to gain credibility.
The rules for avoiding charity scams on PayPal are the same as everywhere else. The best thing you can do is NEVER make a spur-of-the-moment donation. Confirm their legitimacy through organizations like the Wise Giving Alliance, which only back documented and proven charities.
Order Confirmation PayPal Scams
Most PayPal phishing email scams impersonate PayPal. This approach puts the scammer in a position of power and trust (if their target believes them.)
Fraudsters create a false email address that looks like it's from PayPal. They'll use this email to send out order confirmations to any number of PayPal users. This message will provide a link saying, "login to PayPal to track your package."
This link leads to "spoofed" copies of PayPal's website. If the user isn't attentive or in a rush, they may not notice the minor problems that should tip them off. Differences like a slightly different URL or interface become apparent if they take their time and observe the site. If they input their login credentials, then that information is given to the scammer to do whatever they want with it.
Of course, the user is confused because they didn't make the order. If they panic, they may assume that someone has stolen their PayPal credentials and is making fraudulent orders. This fear causes them to click on the email link and login.
Smishing PayPal Scams
Notifications can be more than just a slight annoyance. This rings especially true if the notification is about your financial activity. Nothing makes the heart sink more than a financial institution reporting potential identity theft on your account.
Fraudsters leverage the anxiety this situation causes with smishing attacks. Smishing refers to fraudulent text messages that trick people into revealing sensitive information.
There are many types of fake alerts that scammers use. Some will say there's been unusual activity, and others will report an unidentified login attempt. The common link between smishing attacks is that their final goal is to coax the target into entering a suspicious site and inputting their personal information.
Avoiding PayPal smishing attacks is simple once you know the platform's policies. While PayPal occasionally sends text notifications, they are only used for two-factor identification purposes.
What to do if You Get Scammed on PayPal?
If the scam involved a payment on your end, then ALWAYS check the payment status first. It's possible that you can void the transaction if the seller hasn't picked it up. However, scammers will usually accept immediately to avoid this.
So, if your payment has gone through before you can cancel, the next step is to open a dispute with the other party. PayPal will investigate the circumstances and choose a side. However, it's possible that scammers can trick PayPal into taking their side as they're more familiar with the weaknesses in PayPal's refund policies.
By making their product descriptions as vague as possible, they can make the case that their product meets the advertised promises. Another workaround is to make the cost of shipping the item back more expensive than the refund.
If working through PayPal fails, you can contact your bank directly for a chargeback. Banks are much more likely to side with their customers since they don't have a connection with the other party. PayPal also can't ignore a demand from the bank.
For scams that target a victim's personal information, the best thing to do is learn the strategies and stay vigilant.
Never trust the information that comes through in an email. Always log into your eBay or PayPal account and verify payments and fees before you ship anything.
Be on the lookout for spoofed emails and examine the sender’s email address to find out where it really came from.
Report these and other scams to PayPal so they can investigate and catch these criminals.
How to Detect a PayPal Phishing Email Scam
PayPal only sends emails for payment notifications and special offers. Any other information regarding your account is sent through the platform’s “message center.” This means that any communications involving a compromised account won’t be sent through email.
Additionally, all official PayPal messages address you by your name or your business name. Be suspicious of messages that address you as “user,” since that could be a sign that the email was sent out en masse.
Remember that PayPal won’t ask you for sensitive information like your password, bank account, or credit card. Their messages will also never contain any attachments or ask you to download or install any software.
If you still can’t tell if an email is legitimate, then check the sender's address. A PayPal email scam won’t come from the address paypal.com. Scammers can easily fake the “friendly name,” but it’s more difficult to fake the full name. Instead, a sender will lengthen the name to something like “PayPal Service (zxk1942R3@gmail.com).” This is a definite sign that the email is not a message from PayPal, and you should immediately report the source.