Wednesday, February 8, 2017

How protected are you as a seller by PayPal and eBay these days?

I don't know about you but I stared hating eBay.  So much to be wary of these days with scammers jumping at you at every corner yet it feels as if there is not much help out there for sellers if a buyer is a scammer.  Here is my story, reflected against some research I have done on PayPal and eBay policies, which I will explain in some detail and point out some loopholes that serve scammers very well.  You will see that in most cases, as a seller, you are paying a fee to PayPal (and eBay) but there is little protection out there.  It does go on but it is valuable to know. 

It all started with a dodgy buyer

Recently I refused to send an item to someone who had a PayPal account with a different name to their eBay account and the buyer did not reply to my email I sent to their PayPal registered email as a check.  They then bid with another account, paying by e cheque through PayPal but their address was not verified and PayPal warned me I would not be covered with their seller protection, if I sent the item so I refunded the money again and they promptly gave me a negative feedback.  As a buyer, they can do that, as a seller, I can no longer give negative feedback.  I spoke to both, eBay and PayPal about both accounts, pointing out they were advertising the same item and had discrepancies in registered names and both advised me it looked dodgy.  But what will be done about it, is the question.  I was selling relatively expensive item and did not want to risk it and PayPal will warn you not to send items to unverified PayPal addresses but yet eBay will hold you responsible for not sending the item to the unverified address as you had an agreement with a buyer and the buyer can give you bad feedback.  Just a thought here - should eBay then not 'insist' all buyers verify their PayPal accounts so innocent sellers are not penalised for not wanting to send to unverified addresses which are not covered by PayPal agreement?  One would hope so, but they don't. 

Verifications, e-cheques and chargebacks

An address is verified by adding a credit card registered at your address to the PayPal account.  Your credit card billing address becomes a verified address to send purchases to.  So far so good, right?
If a buyer has an address that is verified by the credit card, they will probably issue payments through PayPal that are backed by their credit card.  If they do so and decide to scam you, they can just report to their bank that the transaction is fraudulent (e.g. someone hacked into my eBay account), even months after they left you wonderful feedback and you left them great feedback too, and their bank will request PayPal chargeback.  Chargeback is when they refund the buyer the money they paid - buyer keeps your item and gets your money too.  PayPal says, in their video on chargebacks, that they will mediate between the bank and the seller and that once you submit the evidence (i.e. tracking number, emails etc.), the bank will make a decision, which is out of their hands.  Their forums say otherwise - many bitter sellers saying this is a frequent thing and PayPal does nothing to help.  In my case, I asked PayPal to see if the address has been changed or updated recently on the buyer's account but was advised they cannot do that, they can't check for fraud on the spot when reported.  
So let's entertain this idea for a second.  My buyer could have a cloned credit card (or a stolen one) registered at their address, thus verifying their PayPal.  They go on a shopping spree and then report fraud to the credit card, resulting in chargebacks.  PayPal's hands are tied despite you, as a seller, proving you did everything you have to do to qualify for their protection.  So if you really are at the mercy of the (dishonest) buyer's credit card, why are you paying PayPal a fee for protection only to be told you are not protected?  In the olden days, when brothers Kray took their protection money, I hope you could at least count they have your back when you need it.  PayPal will cite it is the law and fair enough, but if the terms of protection you have as a seller have so drastically changed and crossed boundaries with other avenues of paying (i.e. credit cards), should PayPal not offer reduction in their fees at least?  I distinctly remember PayPal forcing me to adopt a business PayPal account that accepts credit cards and charges you money years back but was the old PayPal safer?  The one where a person would transfer funds into PayPal and use those funds without help of credit cards or 

What is an e-cheque?  If a seller hasn't got a credit card 
linked to PayPal account, they can issue you an e cheque 
through PayPal.  You have to accept them, it is funds from
 their bank account.  Apart from taking a century to clear, 
they can also be charged back if a customer reports it as 
a fraudulent transaction even months later.  
So technically you are only, maybe, covered if a buyer 
has paid you with the PayPal balance and you can 
prove you posted the item.  Even still, a scammer will 
say you sent an empty package and PayPal will probably 
side with them.  

The illusion of protection for sellers

The fraud protection offered to victims is great but it is being used by scammers to defraud and turning a blind eye to loopholes just makes people mistrust others and companies they use for this 'so called protection'.  When PayPal first started it may have offered some protection but now it charges quite a lot of money for very little choice in the matter.  It forces you to accept credit cards, without them you have no protection as they don't cover unverified addresses, but with them you are in the same boat, at the mercy of your buyer and their moral compass.  Same for e cheques.   This means you are actually not trading through PayPal but through banks, in which case you might as well ask for a bank transfer and forget the protection all together.  At least when someone sends you a bank transfer, it is final but then the buyer is vulnerable and I am sure sellers would turn into predators (and they often do). 

Does the fraud buck stop with you or eBay when you sell on their site?

OK, i thought to myself, I will turn detective and do bit of my own digging on my buyer, to see what kind of purchases they are making and what they are selling and this can be a nice tool in fraud detection.  However, eBay has made this difficult in two ways. 
Firstly, users can hide their feedback comments.  You can still see their feedback score, eBay recently proudly told me, but being extremely slow to remove fraudulent users, feedback can be faked and this is how.  You register an account and in the same day or two you purchase 200 items at auctions.  You pay for none of them.  Sellers are angry and leave you positive feedback (as they cannot leave you a negative one, not even if you are a regular non payer) but with a negative comment, kinda like this.  

Potential sellers can see this and I always check the written feedback and also feedback left for others, as it can tell you a lot about the user. 
However, if you just see the feedback score for this person, it says 100% positive feedback.  Thanks eBay, your feedback score really gives me that peace of mind. 

Second thing that puts me off using eBay is the ability to remain private as a buyer.  This encourages slightly dishonest sellers to create multiple accounts and shill bid on their own items and you cannot see what is being bought and sold as you cannot view the auction items.  It also allows scammers some anonymity and anonymity means low detection rate. 

What about PayPal? 

Is PayPal any better at making it hard for scammers?  Afraid not.  First thing PayPal told me when I rang them reporting suspicious fact that my eBay buyer had an eastern European sounding name whilst the PayPal verified name was of an Asian origin, was that it is not against the rules to use someone else's PayPal to pay for things.  So, as a seller, it is on me to guess if this person's PayPal account is just a friend or they stole someone's identity and I will get a chargeback when this is discovered.  The responsibility is on me to detect this but no realistic way of finding out and oh, wait for it, when you decide not to risk it and refund the transaction because it just does not sound kosher, eBay reminds you that the buyer is within his/her right to leave you a negative feedback because 'you' broke the contract.  They take no notice, when pointed out to them, that the same buyer is also advertising the same items with the same pictures etc., through two different eBay accounts, their stand is that I broke the rules and deserve the wrath.  Same if I refuse to send to an unverified address.  PayPal says no and eBay says you have to.  Guys, aren't you a team?

What am I then paying for in PayPal fees?

But if I am paying for protection through eBay and PayPal, I would expect them to be top of their game and take some flack, otherwise their fees are just another scam.  To have robust mechanisms in place to discourage scammers, not make it easy for them to thrive using their platforms.  Maybe offer some fraud protection?  Scammers are businessmen too and if something is hard, they tend to move onto an easier thing.  Fraud keeps happening more and more because it is easy to execute and there are very few consequences.  Despite the rhetoric, when it comes to eBay and PayPal and if you are a seller, it seems that you are on your own if things go wrong in any way.  It would be simpler if someone just told you this, without this illusion that there are steps you can take by paying a third party to protect you when you sell online.  But PayPal and eBay could do more for sellers and buyers.  They could be more transparent about fraud, remove privacy on feedbacks, allowing customers to see the real picture, be more strict on buyers and sellers who are reported as suspicious, not allowing someone else to use the registered account etc.  So why aren't they? 

Thursday, September 15, 2016

Understanding psychology of phishing

Everyone gets phishing emails. For scammers, it is probably the most cost effective way of scamming people. Sometimes phish emails are relatively harmless, but often they can be extremely harmful and trick you into parting with you personal passwords, log in details and bank information.   I wanted to collect a few to show you the types of phishing emails and psychology behind them, language they use and how the message will make you feel and want to react. 

First of all, the biggest and most important message and one I think every fraud agency should use is that phishing emails will have one fundamental thing in common; something to click, be that a link or an attachment. Clicking anything in an email is bad, even if it came from your friends, as people's email accounts can be easily hacked. What you should look for in that case is whether this is out of character for your friend. If so, don't click it. 

Let's examine the most frequent phishing emails and how they persuade. Most phishing emails are designed to evoke visceral states. Visceral states are sexual arousal, hunger, greed, fear and so on. When we are under visceral influence, we are likely to bypass careful information processing and act without proper thinking - because we are acting on that visceral influence. When you are starving, you are likely to eat stuff you would reject otherwise, when you are scared of something, you will do anything to save yourself from danger, when you are attracted to someone, you will do anything to get them... so let's see the language used by phishing emails. 

Those offering refunds 

Who doesn't like getting refunds and money back. The offer of free money often puts one in a visceral state of excitement and greed and this is precisely what the scammer wants. They want you to get excited at the prospect of free money enough to act straight away. 

 Who doesn't like a tax refund. Notice this one also have an expiration date, which will further influence you to act in the moment, fearful that you will miss a deadline.
Then there is a link you need to click. Probably will ask for your bank details so they can pay you. They give you 4 weeks so that you don't report anything for a while and they have time to scam you. 

TV licence refund anyone - when does that happen? Not even in your wildest dreams. Juicy link to boot - see how it stands out so you have no time to read anything else. 

Those offering free prizes 

 Argos doesn't know my postcode - see how it is not specified? Also, you cannot see a link in this one that well but I guarantee you that yes and no buttons don't do anything so you will have to click a link under them, confused that you cannot activate the buttons. Then they will ask you for details to give you the gift card but trust me, you won't be buying anything from Argos's Elizabeth Duke collection. 

Here is another one, note again, two nice juicy links, offering a prize package, all you have to do is confirm your details. 

Added time limit to make you act in a moment in case you lose the deal - this is a known scamming and persuasion technique. 

Good old malware types 

 Lucky, most virus software filters flag these but note how they targeted me on my university email and they made it very relevant - academics are likely to go to conferences.  It asks you to note the date and time in the attachments so in order to check what is going on, you would have to click on it.  

Those preying on your fears 

Here are few examples of phishing emails that will induce panic and fear and make you want to sort out the problem as soon as possible. 

 Of course you did not initiate this download so you will frantically click the link saying cancel and support. They mention initiating a download few times, so you get the message that all you have to do is confirm you did not do it yourself and all will be fine.  Note there is another link lower down and that one will probably lead to a legitimate site - scammers are very good at making everything else look exactly so. 

You won't have time to notice the weird way this email is composed. Why would your account be limited? All you see is something is wrong and things will get worse in 24 hours if you don't click that button. 

I still see advice such as 'hover over a link' to see if it is legitimate but this is now outdated.  Good scammers can fake everything, the link will give you an appearance of going to a legitimate place. Email will seem fine.  Look at this example - is part of the email for my university and this was faked. Previously when people clicked the attachment thinking it came from the university, the virus infected their address book, sending spam and scams to all their contacts - this time from their email. 

The only reason why you would need to click a link in an email is if you subscribed to something that minute and you need to verify email or you requested a password change and you need to follow a link. Any unsolicited emails with links are probably not good news. Scammers cannot get to your details if you don't click links but it helps to understand psychological states the emails are designed to put you in, so you act against your best interests. 
If you are worried about your accounts being compromised, call/log in from another source, never use a link. 

Add me on Twitter for daily advice and stay scam safe. 

Wednesday, August 3, 2016

Do scams really happen only to 'some' people?

Once upon a time it was a common belief that scams only ensnare gullible and greedy people, and if you were neither, than you were safe.  And maybe this was true but it no longer holds.  Let me explain why. 

Scams used to cost money to execute many years ago.  A scammer would have to go door to door, make phone calls (and many years ago, phone calls were not cheap), send a fax or set up a venture to defraud.  It would not always pay off for scammers and it would only pay off in cases where they get someone who fits the bill of a 'typical scam victim'.  And there are many traits that may make you more likely to engage with a scam; impulsivity, emotional thinking, greed etc. 
However, since the internet, scammers have been given a unique opportunity to create multiple identities, to call or contact potential victims with almost no cost to themselves and to even program computers to do that for them.  Somewhere along the internet brick road, defrauding became easy, affordable and anonymous.  This, in turn, encouraged more fraud.  When a person is hit with higher volume of scams, there is a chance that one will pay off - that is just simple maths.  The more fraud pays off for scammers, the more they invest in making scams look legitimate and this leads to more victims. 

When something becomes profitable and there is a low risk of prosecution, it will attract intelligent people to it and this is also true of scams.  Scammers are now very aware of human psychology, they often also know things about you before they target you with scams that are likely to appeal.   They invest in appearing legitimate, often manipulating the social media and the internet (i.e. good looking websites, registering a fake company - this is not checked by the government and the scammer only needs couple of months to defraud many victims).  It is often hard to spot a scam these days as people often don't know whom to trust.  And scammers, feeling safe from prosecution, go to great lengths to defraud; impersonating governmental websites, faking identity documentation to open bank accounts and so on.  

The amount of fraud and the fact that it can be delivered from anywhere in the world makes it extremely challenging for the authorities.  It is not always possible to track down the exact person who defrauded you from somewhere else in the world.  The resources are just not there.  And fraud is so omnipresent now that there are very few people out there who can say they have never been defrauded, either by a fake ebay auction or by having their identity cloned.  

The popular thinking, that scams only happen to a small number of people with specific characteristics, no longer applies today and may actually make one less cautious and therefore, more vulnerable to a scam attack.  Never underestimate a scammer, they are businessmen who know their business well.  Fraud is now an organised crime.  And it's here to stay. 

Tuesday, June 7, 2016

A chain is only as strong as its weakest link

Friday, January 8, 2016

Always, always look a gift horse in the mouth

Do you love your giveaways?  Social media are full of them; free iPads, iPhones, free holidays, free first class travel for a year with British Airways, Virgin flights, BMWs and so on.  All you have to do is like a page and share their post.

Harmless enough, right? No. Most of these giveaways are fake pages that need you to proliferate their scam to other people and once you like them, unless your profile is watertight, they have access to your social media, your likes, dislikes, photos, friends and if you particularly naive, your phone number and date of birth.

People love giveaways.  We like to think that lucky things do happen and they do but this belief is often exploited by scammers and the way to get you to comply, the rewards are often big (does anyone ask themselves before sharing, why would British Airways give away first class travel for a year, likely to cost them hundreds of thousands of pounds) and/or in line with current desires.

Last hoax giveaway, even though not particularly malicious, was that Mark Zuckerberg, the founder of Facebook will be giving away free money to people sharing the status about it.  

People got excited and shared it and there is nothing more legitimate than a post saying; according to this and that, this is not a hoax.  It adds legitimacy but does anyone bother checking?  This is precisely how scams work.  If one sees a post like this (or any advertising some giveaway) from a friend, the credibility of a friend extends to the message, even if it has been shared thousands of times and is not actually written by a friend in question. 

So next time you see shared giveaways, check the page that is sharing it and Google the giveaway (more here).  This is often enough to spot a hoax or a scam.