Fun PayPal Scam That Nearly Got Me.

[tim_macdougall]

Today, I had a scary experience with a social engineering scam that nearly defeated my bank's security protocols. It started this morning when I received an overdraft alert from my bank, which led me to uncover a suspicious CA$5,000 withdrawal from my account to PayPal.

 

Upon investigating my PayPal account, I found an unauthorized transaction dated January 2, where this sum was transferred into my PayPal wallet. I promptly called PayPal support, but the initial representative seemed inexperienced and advised me that nothing could be done about the "Electronic Cheque" since it hadn't cleared yet.

 

While on the call, I noticed changes in my PayPal account: an addition of a Citibank account and an automatic withdrawal rule to transfer funds from my PayPal wallet to this new account. This was particularly odd, given that I live in Vancouver, Canada, and Citibank isn't a local bank here.

 

I then insisted on speaking with the fraud department. For context, my PayPal account is protected with 2FA, a strong password, and a dedicated email address. It seemed highly unlikely that my credentials were compromised through a data breach.

 

The fraud department was more insightful. They observed that the Citibank account was added just before the fund transfer and was entered manually over a phone call. This suggested that the scammer bypassed my 2FA and login details, persuading a PayPal rep to add an international bank account, initiate a transfer, and set up an auto-withdrawal rule.

Additionally, the transaction was flagged as high-risk since Canadian customers typically don't use American bank accounts. Thankfully, my bank managed to stop the transaction.

 

This incident highlights the concern of social engineering in circumventing robust security measures like 2FA.

 

It also points to a broader issue: the vulnerability of telecom services to similar attacks, which could completely undermine the security provided by 2FA.

I Would love to hear thoughts on the situation.

Could be a good Wan show topic.

[Lurick]

Damn, I'm glad you were able to get things sorted before any money moved out of your bank account!

 

There is another one I ran into recently in the same vein where they're using compromised accounts and sending money requests to people and in the request template using that to try and trick people into sending money via an official money request via paypal's system but putting a different phone number in the request so people call the scammers instead of actual paypal support. It's a legit email originating from paypal's system but the request being made is trying to trick you so it's much harder to spot as well.

[tim_macdougall]

6 minutes ago, Lurick said:

Damn, I'm glad you were able to get things sorted before any money moved out of your bank account!

 

There is another one I ran into recently in the same vein where they're using compromised accounts and sending money requests to people and in the request template using that to try and trick people into sending money via an official money request via paypal's system but putting a different phone number in the request so people call the scammers instead of actual paypal support. It's a legit email originating from paypal's system but the request being made is trying to trick you so it's much harder to spot as well.

Oh dear, That's awfully crafty, I always use the customer support number that on a websites contact us page, I can definity see people falling for that one though.

 

Lucky I managed to stop the funds in transit, It actually left my account it just didn't post into PayPal's yet

[Levent]

This is not an easy task. I’m gonna go ahead and guess your personal information was part of a data breach. Social engineering a bank isn’t an easy feat, you would be surprised how often and how many times they take training on topics like these.

[BillBill]

When I hear things like this sometimes I wonder if the people working for major banks are part of the scam. 

[Mark Kaine]

well, if true, paypal is obviously way more unsecure than people think, what good is all the "login security" when a simple phone call can circumvent all that? if i wanted unsecure transactions i could just use my bank lol.

[Milesqqw2]

Either scammers are getting smarter, or the things in place to stop them are getting dumber. 

[wanderingfool2]

8 hours ago, Levent said:

This is not an easy task. I’m gonna go ahead and guess your personal information was part of a data breach. Social engineering a bank isn’t an easy feat, you would be surprised how often and how many times they take training on topics like these.

I'd say it might depend.

 

Banks are actually pretty easy to social engineer.  I think a reason you don't see it as often is that banks also tend to not admit they have been a victim (resolve things secretly), they don't admit it happened and blame it on something else, or most people don't want the risk (lot harder to launder the money and also not get caught).  It's not worth the risk I think a lot of the times, since you have to convince the bank (i.e. know enough about the person) and then you need to have a compromised bank account that you can transfer the money to and pray that things go through before the transaction gets flagged.  (The one time the slowness of banks is a good thing)

 

What is concerning is if the OP's story is true, in that Paypal added the account with auto-withdrawals.  That would be seriously concerning, and something that if true should be a massive red flag for PayPal.  The only thing I could think of is someone calling up with information about the person, but even then PayPal should at least try verifying the person (like calling his phone number on record).

[dogwitch]

9 hours ago, tim_macdougall said:

Today, I had a scary experience with a social engineering scam that nearly defeated my bank's security protocols. It started this morning when I received an overdraft alert from my bank, which led me to uncover a suspicious CA$5,000 withdrawal from my account to PayPal.

 

Upon investigating my PayPal account, I found an unauthorized transaction dated January 2, where this sum was transferred into my PayPal wallet. I promptly called PayPal support, but the initial representative seemed inexperienced and advised me that nothing could be done about the "Electronic Cheque" since it hadn't cleared yet.

 

While on the call, I noticed changes in my PayPal account: an addition of a Citibank account and an automatic withdrawal rule to transfer funds from my PayPal wallet to this new account. This was particularly odd, given that I live in Vancouver, Canada, and Citibank isn't a local bank here.

 

I then insisted on speaking with the fraud department. For context, my PayPal account is protected with 2FA, a strong password, and a dedicated email address. It seemed highly unlikely that my credentials were compromised through a data breach.

 

The fraud department was more insightful. They observed that the Citibank account was added just before the fund transfer and was entered manually over a phone call. This suggested that the scammer bypassed my 2FA and login details, persuading a PayPal rep to add an international bank account, initiate a transfer, and set up an auto-withdrawal rule.

Additionally, the transaction was flagged as high-risk since Canadian customers typically don't use American bank accounts. Thankfully, my bank managed to stop the transaction.

 

This incident highlights the concern of social engineering in circumventing robust security measures like 2FA.

 

It also points to a broader issue: the vulnerability of telecom services to similar attacks, which could completely undermine the security provided by 2FA.

I Would love to hear thoughts on the situation.

Could be a good Wan show topic.

yeah.

had something like that happen to me on my whole Amazon account.

buyer and seller.

oh and this was end of year.

3 months later(new year) cash app poor security ding a card.
(i dont use it)

2fa did nothing on both.