Internet Fraud at PayPal

March 2003

The bad news is that as of this morning I'm thousands of dollars poorer. The good news is that I have a readymade topic to write about this month.

I had really hoped that I'd never be writing a first-person account of Internet fraud. But it happened. Someone gained access to my PayPal account and within six minutes had charged the maximum on my credit card and had also nearly wiped out my checking account.

The most amazing thing was the response I got from my credit card company and PayPal--sort of an all-in-a-day's-work attitude. Naturally I asked the guy at my credit card company whether I was liable. He made a joke. And then told me there would likely be no liability for the $6,000 withdrawn from my credit card.

He closed my account and issued me a new card, saying it would arrive via UPS the next day. Business as usual.

At PayPal I had to fill out a form reporting those unauthorized credit card charges as well as the withdrawals that nearly emptied out my checking account. I was required to fill out a form, print and sign it, get it notarized, and, irony of ironies, send it to a processing bureau via snail mail before the investigation could begin.

I was first alerted to the problem when I received an automatic e-mail notification from my credit card company. I have my account set up so that I receive a message each week if there's been a charge for more than $500.

I saw the message, didn't remember having made a charge, gulped, and logged into my account. Big shock to see the huge charges and very little credit left.

How did they do it? I still can't figure it out. After all, I'm Mr. Internet--I'm too savvy to get scammed, right?

There's a common PayPal scam in which you receive an e-mail purporting to be from PayPal saying that your account needs to be updated, asking you to log onto your account, and giving you a link to do so. Clicking the link takes you to a page that's identical to PayPal--but it's fake. And they've captured your password.

The first time I got this scam it was very convincing, but I didn't fall for it because I was alerted to it by an Internet site that I had recently visited. Instead of clicking the address, I simply went to the PayPal home page and logged in there, figuring that if I needed to update my account the alert would come then. It didn't. Clearly it was a scam--and I had avoided it.

There doesn't seem to be any possibility that I was duped or did anything wrong. I have a unique password for that account. It seems simply that they either broke into the PayPal system or somehow guessed my password--8 digits with a combination of letters and numerals.

I think I will likely get my money back since it's such an obvious fraud: a transaction that took place at 3 a.m. and that went to someone with an account in Micronesia. But it's going to take some time, and I've already spent a couple hours dealing with it.

What advice do I have for you? Don't ever respond to an e-mail that asks you to log into your account unless that login address exactly matches the address of the web site where you have an account.

In addition, I now think it's not a good idea that PayPal had my checking account information. PayPal is a great service and makes it very easy to transfer funds between buyers and sellers, and it's widely used on eBay. But I wish I had stuck to having PayPal use my credit card for the transactions. It just seems easier dealing with credit card matters.

Federal law gives you some protections. If you lose your credit card and report it before someone has used it, you don't have any liability. It also stipulates that if someone has made unauthorized charges, you're not liable for more than $50--if you report it promptly. That's why I'm glad I have an Internet account set up to track my credit card activity. You may want to consider doing that. I think most credit card companies offer that service now.

Also, most credit card companies will simply remove unauthorized charges, though again you must report them as soon as you discover them. My company said that they're sending me an affidavit that I have to sign and sent in.

You can find out more info on Internet fraud at www.fraud.org.

Part 2. Getting my money back.


© 2003 by Jim Karpen, Ph.D.

E-mail Jim Karpen