PayPal is one of the leading and popular platforms, allowing fast and secure online money transactions. Unfortunately, it is on the hit list of scammers, making the site extremely risky for users. These scams mostly appear as official emails from the platform.
Consequently, many people get victimized and lose valuable information and money. This guide elaborates on the top PayPal frauds you may encounter and the effective ways to spot and avoid them.
Common scams on PayPal ā Quick list
- Problems with PayPal account ā the scammer sends false warning about PayPal account closure or blocked payments.
- Fake messages seeking advanced payments ā the scammer lures users by offering huge lottery or selling fake products against some advance payments.
- Invalid shipping address issue ā posing as a buyer, the scammer aims at stealing money from the victimās PayPal either by falsely claiming false that the ordered product never arrived.
- Zero-day operating kits ā the scammer may use sophisticated techniques, such as vulnerability exploits or abusing legit but stolen email accounts, to steal money.
- Fake donations ā itās a common PayPal scam where the scammer seeks money as donations for fake charities.
15 top PayPal scams – Detailed analysis
1. Problem with your PayPal account
It is possibly one of the most persistent scams we can find today.
In such cases, normally, a user receives an email stating a problem with their PayPal account or that the account will be closed.
Next, the scammer requests that you act immediately to solve the problem. For this, the usual thing is that a link is provided through which you have to log in to the account.
Entering the provided link opens the way for thieves, and they can then obtain your credentials and empty the account if you have any funds or do shopping with your attached cards before you know anything.
There are a couple of aspects that you should consider to avoid falling into such a scam.
Please remember PayPal never asks anyone to enter their username and password in a link sent through email or message. You only need to do this on the company’s home page or in the app.
Thus, you must look closely at the message sender’s email address.
The scammers mostly use an email address that looks similar to the official addresses, with slight misspellings and stylistic variations.
2. Identity fraud
It is a scam similar to the previous one, which is also quite widespread. In this case, users are told that there are problems with their account or it is suspected that someone has accessed it from an unknown location.
Then again, in this case, the scammer asks targets to enter the account details by clicking on a specific link provided in the email.
Once someone fills out the account detail page (which again looks identical to the official PayPal page), their PayPal account credentials fall straight into the hands of hackers.
The takeaway from this is the same as in the previous case: PayPal will never communicate with you in such a way, nor will it provide you with a link in which you have to enter your account details immediately.
In addition, if you look closely at the email address that sent the message, you will notice that it is a spoofed email address – a fake email address such as asdksdjh@gmail.com that has nothing to do with PayPal.
3. Advance payments
It is possibly the oldest scam we can find on the net. However, the surprising thing is that there are still people who fall into it.
Here, you receive an email saying you won a lottery or received some inheritance.
In either case, the user is told to have won a massive amount of money, but in order to have the paperwork done, he must make a certain payment through PayPal.
Never get excited and bother replying to such emails; blocking that email address and marking it as spam is the best way to deal with this scam.
4. Paid more for a product via PayPal – Seller
This is one of the most recent PayPal frauds that we came across, which is very sophisticated and still goes unnoticed by many.
It has reportedly stood out for scammers as it is very effective. For those users who sell products on platforms like eBay, among others, it is something to beware of. It works as follows:
- You sell a product on some websites.
- The buyer will make the payment through PayPal.
- He pays an amount more significant than what had been agreed upon or at the price of said product.
- Said the buyer, then asked the seller to return the extra money he had paid.
Where is the trick this time? The buyer in question will request that the money be transferred to a different account than the one used to pay for the said product.
When that happens, the buyer (a scammer in this case) cancels the payment, which causes the seller to lose the overpaid money in addition to losing the money from the sale.
If you sell products on any website and use PayPal to receive payments, you must beware of this.
Normally, nobody is going to pay you extra money. If someone does, it is better to cancel said sale or payment and repeat it with the exact amount.
5. Scams on Craigslist and other classified sites – Seller
Even though most online businesses are secure, you should be cautious when selling things on classified sites such as Craigslist.
Sadly, an accountable number of people using these sites promise to pay via PayPal but never send a payment for the purchased goods. You may look for common signs of scam attempts, such as:
- The buyer cannot meet you in person for various reasons of his own (military in Iraq, marine biologist, etc.).
- The buyer asks you to send the item to his “delivery agent.”
- You get to offer more money than you asked for.
- The buyer sends you only SMS and does not speak to you on the phone.
If you have received an email that appears to be from PayPal and indicates that you have received money, quickly look for the following signs to see if it is a fraudulent email:
- The email is addressed to you without using your first and last name (it will begin with a generic greeting such as ‘Hello, PayPal user’ or ‘Dear user’).
- The email says that the money will be “blocked” until you take action (for example, send money by Western Union or click a link to send a tracking number).
If any of the above situations arise, terminate communication with the potential buyer. Remember that Craigslist and other similar sites are designed for local sale/purchase.
There, in most cases, you can meet the person in real or the buyer who genuinely wants to buy something from you and never hesitates to pay you in advance to get his goods delivered (they know how classified sites work).
Also, before reacting to any email, you can always see whether you received any money by logging into your PayPal account.
6. Shipping address change – Seller
If you have an online store or sell products on any website, an invalid shipping address or shipping address change is another common PayPal scam to consider.
The buyer mostly chooses the shipping method from available options at the time of purchase, which the seller complies with and sends the product.
However, if your buyer happens to have a malicious motive, he will later contact the courier company without your knowledge to change the delivery address.
And then, after a while, he complains that the product he ordered never arrived.
Another variant of the same scam is for the scammer to use a delivery address different from the one shown in his PayPal account.
Then he will claim that the product never reached its destination, therefore asking you to reimburse the money.
That way, the scammer gets the product for free.
Since PayPal’s Seller Protection does not cover a shipment made to an address that is not on file, the seller loses both the payment funds and the item they shipped.
If you sell products online, make sure to look closely at the shipping address.
You should refuse to sell goods if the address is different from the one appearing in your potential buyer’s PayPal account.
Unfortunately, this PayPal scam is hard to avoid, and the seller is always at risk.
Still, if you can ensure there is the same address everywhere for the buyer, you can prevent scammers from claiming that the product never reached its destination in most cases.
7. The chargeback scam ā Seller
If the buyer decides to scam you, even if you can prove your shipment, he can still reverse payment through his financial institution.
In such cases, the buyer asks his bank to cancel the payment for an excuse such as the fraudulent use of his bank card following a loss or theft.
Then, PayPal automatically debits the amount of the chargeback from your PayPal account, and even if your account balance is zero, PayPal will put it as negative.
After that, asserting your honesty regarding this transaction and proving the buyer’s wrongdoing will be a real obstacle course.
You must file a complaint about the scam and bring all the documents proving that you properly dispatched the item(s) to PayPal and the concerned law.
PayPal strives to limit these risks but keeps warning sellers of this danger. This PayPal scam, in fact, has more to do with an individual’s ethics; if someone goes this far to scam a seller, you can’t do much (at least instantly).
8. Phishing PayPal scam
Phishing is a technique by which cyber criminals design emails to deceive their targets and induce them to take action, which may involve downloading malware disguised as an important document (for example).
Victims can also be asked to click on a link that redirects them to fake websites where they are asked for sensitive information such as bank details and Amazon or PayPal credentials.
Most phishing email campaigns are executed at a large scale, targeting thousands of recipients.
Others, however, only target a well-defined category of people, such as business leaders.
In 2014, the APWG (Anti-Phishing Working Group) conducted a global study, which suggested that 54% of phishing emails targeted popular brands, including PayPal, Taobao (Chinese marketplace), and Apple.
The study indicated that phishers keep updating their approaches, seeking new targets in niche industry segments.
If you tend to pay attention to details, it is easy to spot and avoid phishing scams. In the case of PayPal, the spoof website URL that the scammers would ask you to click will have a misspelled domain.
For example, instead of PayPal.com, the scammer’s domain would be either PayPal.com or PayyPal.com and vice versa (we hope you get the idea).
9. Zero-day operating kits
This type of attack targets unpatched vulnerabilities in computer software.
The name comes from fewer computers being exposed to cybercrime attacks on the day the patch is released as users download software updates. Zero-day operating kits are often sold and purchased on the dark web.
While many anti-spam engines, email service providers, and clients have become adept at detecting spam messages, malicious texts sent through legitimate, high-profile providers are way harder to catch.
In 2016, Proofpoint analysts reported a potential attack on PayPal’s legitimate email services that enabled attackers to deliver malicious content using official emails.
Specifically, they observed emails sent with subjects like “You have got a money request” that appeared to come from PayPal.
In such a case, the sender does not appear to be fake. Instead, the spam gets generated by either using stolen accounts or registering with PayPal (using zero-day operating kits) and then sending emails to “request money.”
This is amongst the hard-to-spot PayPal frauds as the email coming to your inbox comes from an official account (the email ID that ends with paypal.com, for example, member@paypal.com).
However, you can avoid falling prey to it by following one simple yet effective rule for ensuring your internet security. What is that? I hear you ask. That is, never click links in the email.
If you ever receive an alert or notification from PayPal in an email, it is always best to log into your account directly and see the notifications or transaction activities yourself instead of clicking links in an email.
10. Legitimate-looking unofficial site hoax
One of the most frequent events where you can encounter scams online is when creating an account on a platform. You may find a link on a certain page to sign up for a service without knowing if that leads to the right destination.
What does the attacker get with this?
The victim registers on a page nailed to look legitimate, but in reality, he is giving the data to some cybercriminals. The data collected in such hoaxes include first and last names, email addresses, and bank details.
So, concerning PayPal, if you have to sign up with the service, make sure you do it by visiting PayPal.com directly.
11. Send money to friends and family
This is a classic PayPal scam. In such cases, the seller asks you to send the money as friends and family with different explanations, such as if you do say there will be no or lesser PayPal fees.
However, this is a problem for the buyer. In case the product does not arrive in good shape or you never even receive it, you could not file a dispute with PayPal if you sent money using PayPal’s ‘friends and family‘ option.
So beware and never come to an agreement for friends and family payments with any seller online.
That is, of course, if you do not want to be deceived and receive a product that is not as advertised or, even worse, not even get one.
12. Fake PayPal services
Scammers have faked their names in the past. It is a common practice done by a man with a malicious mind both online and offline.
They would simply fake a name in the sender’s email, e.g., an email can pretend to be coming from “PayPal Services,” but in reality, it could be from qwertyaly@comail.com.
At first glance, you would not see the actual name; however, if you place your mouse cursor over the email sender’s name or click on the “Reply” button, you must be able to notice the sender’s full name.
More sophisticated scammers can fake the full name to look like a valid sender, so be cautious (pay close attention).
As noted above in the zero-day operating-kit scam, although making sure that the email you received is from a legitimate account is important, it is not enough.
It is essential to check the complete email carefully.
And even if you click on a link provided in the email to get into your account, always check that the domain says “www.paypal.com” in your browser.
That said, here again, you must not click a link in the email; always visit PayPal directly, no matter what.
13. Fake donations
Online scammers even use tragedies to fool people with good hearts and make them send donations to fake charitable organizations.
Such scams generally arise when a natural disaster (such as a flood or an earthquake), a terrorist attack, or a refugee crisis occurs.
You must review the details of any charitable organization you want to help to ensure that your funds go to genuine victims.
14. Vishing (voice mail scam)
Vishing is one of the latest PayPal scams where scammers use an automated system to carry out voice calls, report problems on the account, and ask for information about it over the phone.
Let me share with you an example script of what you could hear in a Vishing call:
We are calling you from PayPal to inform about a possible fraudulent transaction in your account. Please enter your password to hear the details of the transaction. We need your immediate action to be able to block this transaction and secure your account.
Once you enter your password, scammers get the information necessary to access your account. That is obvious, right?
Therefore, never provide your account information to third parties unless it was you who initiated the conversation. Never trust the caller’s ID, even if it tells you that it is from PayPal.
On top of everything, PayPal never asks for your credentials via phone or email. Even if they need to verify the account, they would only ask you about the last few digits of your password or attached card.
To give you a better idea, the following are what PayPal will not ask you to send them over an email, message, or phone:
- Your full credit or debit card number.
- Your bank details.
- Your full name is registered with PayPal.
- A list of all your email addresses linked to the account.
- Your physical addresses.
- Your security questions and the answers.
- Your PayPal or any other account password.
15. Smishing (text message scam)
Phishing can also happen via text or voice messages to your mobile device.
Such phishing is known as Smishing, and in such cases, the scammer sends a text message to your phone number using a non-existent number or app.
In the case of such PayPal-targetted frauds, the type of message a target receives is usually like this:
Your PayPal account has been suspended due to suspicious movements. Contact us immediately at (then comes a phone number, for example, 1234 5678 90). You should speak us immediately.
Or:
PayPal: You have made a payment of 300 euros. If you did not authorize this transaction, call us at 1234 5678 90 at once. Thank you.
If you get panic and call on that number, you will be confirming to the scammers that you have a PayPal account.
When talking to you, the scammer will ask for your account information to transfer your funds to his account or steal personal information.
Always avoid such messages and check your PayPal account if you have any important notices from the service.
If you receive such texts, delete them and contact PayPal security experts at “spoof@paypal.com” and inform them of what happened so that they can give you the instructions to follow.
Some important facts about PayPal scams
The FBI recorded 467,361 complaints in 2019, an average of almost 1,300 daily, causing individuals and businesses to lose more than $3.5 billion collectively.
The most frequently received complaints were either phishing or similar ploys, extortion, non-payment, and non-delivery scams.
No one wants to become a victim, but given the evolving methods, hackers are trying to stay one step ahead of the general public.
On February 11, 2020, Vade Secure, the world’s leading provider of predictive email protection, released its Phisher Report (Q4 2019), which included 25 best-known brands on the list who have become victims of phishing attacks.
Per the report, PayPal remained the top brand targeted by cybercriminals, with Facebook coming second and Microsoft third.
For the second consecutive quarter, PayPal was the leading impersonated brand in phishing attacks. Although PayPal phishing decreased by 31% from the third quarter, transaction volume spiked by 23% from last year’s period.
In the UK alone, people lost over Ā£1 million in PayPal frauds in the last quarter of 2019.
Checklist to keep yourself safe from common PayPal scams
Being able to sell and buy online is the luxury of this digital age, but there are some essential things you must know and do to keep your information, money, and yourself safer online. Here is a checklist of them:
If you are buying something:
- Make sure you buy only from reputable online retailers and websites.
- Check your credit card and bank statements carefully, always.
- Merely closing your browser after completing online shopping isn’t enough. Never forget to log out of the websites.
- Always double-check the complete details of all the goods before confirming payment.
- Stay away from offers that look too good to be true.
- Check every incoming email’s sender carefully to ensure an impostor did not send it.
- Make sure your device has the latest antivirus installed on it.
- Ideally, opt for using a quality VPN such as ExpressVPN so that your internet traffic becomes completely unreadable and your information stays shielded from potential scammers.
If you are selling something:
- Do not include any personal information while describing your items for sale.
- Always double-check that you have the funds in your PayPal account before shipping the item.
- Never make any of your personal details visible in the background of your items’ photographs (for example, your vehicle number plates or house number).
- If you have offered an item for personal delivery or pick up, try to meet your potential buyer in public and make sure to accompany someone with you.
- Never come to an agreement to ship your products to an unverified address.
- It is always better to set up a separate email ID for customer service and sales so that your personal account remains private.
For what am I covered with PayPal protection policies?
PayPal revolutionized payment between individuals right after its launch in 1998. Now it helps in everything, including payment in stores or contracting services.
Therefore, you must know what items are covered and not covered under this online service should you fall prey to scams.
If it is a purchase, PayPal fully protects the buyer in any item that can be sent by mail and is not prohibited by law. This means that PayPay will return your money even if you cannot recover it from the scammer.
However, the online payments giant’s Buyer Protection does not cover certain products. These include:
- Real estate.
- Vehicles.
- Handmade items.
- Gift cards.
- Prepaid cards.
- Transfer of funds to family or friends.
- Anything bought locally in person and not online.
- The buyer received items exactly as the seller had described in his listing.
Subsequently, PayPal Seller Protection can cover tangible and intangible items (services and tickets, among others) paid at once with PayPal and, in the case of tangible items that have been sent to the address registered during the transaction.
As in the case of a buyer, there are some items for whom PayPal does not protect the seller, too. Such items include:
- Items prohibited by law.
- Licenses of digital products.
- Claims, chargebacks, and cancellations for items are different from those described.
- Items delivered or collected in person.
- Items whose value equals a cash amount (for example, gift cards and prepaid cards).
- Payments related to financial products and investments.
- Donations.
- Items purchased through classified ads.
- Payments in gold (either in its physical form or as a quoted value).
- Disputes opened directly with PayPal in the Resolution Center.
Report a suspicious email pretending from PayPal
Phishing is an unlawful attempt to siphon someone’s sensitive and private data.
The most famous phishing technique is to send targeted users an email on behalf of a known company, such as PayPal. These emails may contain links to fake sites or fraudulent attachments.
Spoofy websites encourage you to enter personal data, such as your Social Security number, credit card number, and password.
But the question is, what do you do if you encounter any such email? You simply report it to PayPal.
Have you received a suspicious email?
If you consider you have received a scam email, do the following immediately:
- Don’t enter any financial or personal information. Also, don’t click on any link or download any attachments from the email.
- Send the complete email to spoof@paypal.com.
- Delete the suspicious email from your account.
- PayPal will send you an email reply to confirm if the email you received is fraudulent or not.
Have you come across a fake site?
If you come across a fake site, do the following immediately:
- Don’t enter any financial or personal information. Do not click on any link or download any attachments from the site.
- Copy and paste the site address (URL) into an email and send it to spoof@paypal.com.
- PayPal’s security specialists will review your request, and if it is a bogus site, PayPal will do its best to get it to shut down completely.
These simple actions will help you stay safe and protect the entire community.