Criminals exploit PayPal’s policy of making it child’s play for anyone to create an account with them. Then they use their buyer dispute features to terrorize sellers.
Preface
I’d like to know if anyone has heard of this particular type of attack and, if so, get more info about how it’s carried out. Though I have yet to hear of anyone who underwent the same kind of attack, I find it difficult to believe I’m the first to suffer from it. I’d also like to find a way to accept payments for my digital products such that, hopefully, this won’t happen again.
What Happened
I’ve made a guitar lesson site as a hobby, and sell about twenty digital products, from backing tracks, to links to play-along videos, and so on. Prices range from $.99 to $8.95.
One product was a link to a play-along video for just $.99. But I had only sold about six of these in the last couple years.
After spending several months migrating my old HTML site to the WordPress platform, I made the new site live on October 7, 2019.
Then, from October 11 through 16, I sold over 150 of this $.99 product! At first, I assumed the new site had caused greater awareness of it. I was wrong.
Obvious Criminals
Upon examination of the data from my online shopping cart service, I discovered…
• the email addresses of the buyers were obviously fake (a random series of characters @ a Russian or Chinese internet company, for example), and,
• all but 2 of the thirty or so IP addresses I checked with a geolocation tool were from Phoenix, Arizona. (The other 2 were from Las Vegas and Los Angeles.)
After more research, it looked to me like someone in Phoenix was buying my $.99 product in order to test stolen credit card numbers. (Whether or not this was the case turned out to be immaterial to what happened next.)
Removing The Product
At this point, though I figured I couldn’t be held liable for receiving $.99 from obvious criminals, I decided I didn’t want to be involved in whatever scam they were perpetrating, so removed the $.99 product from my site. And, just in case they decided to start purchasing another product to target me, I closed my online shopping account subscription and deleted all products and donation buttons from my new site. Though I never made a killing from selling guitar lesson materials, I was now obviously receiving zero income from the site. And I had just un-did many hours of work on my site.
Bogus Disputes
From October 19 through November 28, I received over 100 “disputes,” in my PayPal account similar to the following:
Transaction amount: $0.99 USD
Disputed amount: $954.95 USD
Though the transaction amount was correct, the disputed amount was, of course, ridiculous. These ranged from around $600 to $1200. Multiply that by a hundred or more and you’re in the $80-to-$100,000 range.
While I realized at this point that I was being targeted by some criminals, I also thought that contacting PayPal would quickly resolve the matter. Wrong again.
Trying To Get A Human Response
Since the dispute notices advised me to go to the Resolution Center of my online account, I tried that first. It was the beginning of many soul sucking experiences, trying to contact an actual breathing/feeling human being in the PayPal organization. Like, unfortunately, many modern businesses, you are channeled through a maze of incredibly unhelpful “knowledge base” articles until (if you don’t give up from fatigue), you find a way to send a message explaining your issue.
Worse, I discovered my messages to them were first sent to an AI (artificial intelligence program), which responded with yet more boilerplate answers from the “knowledge base.” (Is it possible I was so incensed by the first of these replies that I failed to notice something at the bottom about replying to the message in order to get a response from an actual human?)
Filipinos Reading From Scripts
As the responses I got through online messaging were of no help at all, I tried calling them.
I reached a call center in the Philippines. First, I got a probably well meaning but clueless young woman, so asked to be transferred to her superior, which she finally, but reluctantly agreed to do.
After considerable time on hold, a man with an American accent answered. I described the situation to him. He said, yes, he’d heard of this sort of thing happening before, and I momentarily breathed a sigh of relief. I asked him where he was, to which he replied, ironically, “Phoenix, Arizona.”
He then put me on hold; again for quite a while. Finally, a different Filipino woman picked up, who was only slightly more helpful than the first. She eventually agreed to forward my information to the financial institutions that acted on behalf of the buyers who were disputing the purchases, and confirmed that no such large amounts ever entered my account. I told her I was recording her, which I then did, and had her repeat what she said. I further asked her to send me something in writing (via email or online messaging), to confirm what she had just told me. She refused.
Criminals’ Strategy
As you might imagine, it was incredibly stressful trying to figure out how to get PayPal to understand that all of these claims were bogus and should be removed from my account. At this point, I had no real idea how it was happening. Eventually, however, a friend helped me understand that both the original purchases, and the ensuing disputes, came from the same bogus PayPal accounts. The criminals had obviously used over 150 email addresses (which they had acquired somehow), to open PayPal accounts, specifically for the purpose of carrying out this type of attack. Like spammers who send out a million ads for Viagra, it takes only a few sales to cover their costs. The current criminals obviously relied on a few people unquestioningly or reflexively paying some of these outrageous amounts. I, however, had no intention of dancing to their tune.
Canceling My Bank Card And Account
To protect myself in case the attack went further, I
• canceled the credit card I had connected to my PayPal account. Then later,
• closed the entire bank account that the credit card came from. (I’d had that checking account for over 30 years.)
Now Come The Chargeback Fees
About 1 month after these disputes first started arriving, I began receiving new messages from PayPal’s automated dispute system that stated for each of the now 158 bogus transactions…
“$0.99 USD has been debited from your PayPal account”
(This, despite the fact that PayPal took $.33 as their fee on each purchase, leaving me with just $.66!)
And,
“In addition, you have been debited a $20.00 USD chargeback fee.”
I had transferred all but about $100 out of my account, since it was obviously now unusable. I had left that balance, on the odd chance that my product had been purchased with credit cards stolen from innocent people, who might eventually see the fraudulent charge on their credit card statement and want it returned.
The first 5 of these “chargeback fees” instantly drained that remaining $100. Today (December 15, 2019), when I logged in to my account, it showed a $2051 deficit. Sorry, PayPal, there is zero chance I’m going to cover that amount.
Ignoring PayPal
Receiving these automated emails from them was so stressful that I eventually went to my email server and had them all forwarded to an account I never look at. Then I just stopped looking at the account entirely.
Except I did go back on October 24, before the “chargeback fees” started arriving, to try one final time to get a reasonable response from them via their online messaging system. Over a month later and still no response from them. Below is what I wrote them.
============
I’m going to try one more time to get someone at PayPal to admit the following type of claim is bogus. Here’s a recent example of claims I’ve received in the last few days:
—
Dear [Sir],
We are writing to let you know one of your buyers opened a case for this transaction. The buyer stated that they did not authorize this purchase.
Here are the case details:
• Buyer’s name: Stacey Clardy
• Buyer’s email: 26.lcm.15@mail.ru
• Transaction date: October 16, 2019
• Transaction amount: $0.99 USD
• Disputed amount: $957.99 USD
—
Again, the email address (from Russia), is obviously fake. It’s quite possible the credit card number thieves did make a $.99 purchase from me, that I’m completely happy to refund. However, the $957 amount is ridiculous (you’re welcome to check my account). The most I’ve ever received from anyone is about $9.00 for my guitar lesson products.
I need you to:
1) Agree explicitly that all these recent claims are bogus, and
2) Remove all these claims from my account.
Dave P.
============
Conclusion
The problems are
1) PayPal makes it far too easy for people to open accounts.
2) The company is run mainly by a robot (algorithm/AI).
Even their phone support staff in the Philippines (where jobs are hard to come by), work under fear of termination if they deviate from the boilerplate responses they are told to give to those who call in.
3) They reflexively refund payments to buyers, while offering almost no fraud protection to sellers.
The company is completely geared to profiting from the fees they charge and trying to get more and more people signed up. They famously freeze accounts of legitimate sellers for months on end, leaving sellers to prove they were taken advantage of.
I’m encouraged to find a virtual cottage industry of youtubers and sites online gunning against this despicable company. I’ll be sending them this missive to join their ranks. PayPal should go down, as should the rest of the modern robo-cos.