New to the community? Welcome! Please read our Community Rules and Guidelines
There seems to be a telephone scam running in Australia with the caller claiming to be from Paypal, at first asking to discuss 'feedback' but then saying they are concerned about "a recent payment you made that we have blocked because it was a scam". They are apparently trying to obtain details on customer identity (for phishing or some such). The first question they tried with me was "We need to verify your identity so could you tell us your email address registered with Paypal." Obviously you should not (in my view) tell them this. So here is what happened:
Today just before 6pm (Qld time) I received a No Caller ID call. I was going to ignore it, but I did recently ignore a no- ID call that turned out to be a genuine call (people are working from home etc due to Covid). So reluctantly I answered it. From a noisy call centre the Indian (I think) bloke on the other end claimed to be from Paypal and said that I had paid $200 to '<Removed>' two days ago and that he wanted to verify the payment as it 'looked like my account had been compromised". I asked the date and he hesitated then said the "6th".
I checked my account and could see no such payment and no evidence of activity other than my own. He then asked for information 'to identify me', say ing "We need to verify your identity so could you tell us your email address registered with Paypal." I said "Umm, you have those details and have called me, so why not ask me my security questions'. At that point the phone went a little quiet and then he introduced 'his manager'. I asked the manager to confirm the details of the (probably non-existent) transaction again. he confirmed it was indeed $200, two days ago. "And to whom?" I asked and he said "to <Removed>" (hmmmm) so I then asked "What date was it?" and he said "the 5th"
"So was it the 5th, your sure"
"Well your colleague said it was on the 6th and it was to <Removed>".
[Hasty hang up sound]
So there it is. Objectively and in hindsight it seems very obvious. However, when you are taking a call like that, you tend to think – well it could really be Paypal trying to stop a fraud. Without play the two guys off against each other, I might not have been able to confirm it was a scam. I'm a little worried they might be successful in ripping people off.
Perhaps consider letting your more vulnerable relatives or friends be wary of anyone claiming to be calling from Paypal regarding an incorrect payment and asking for account details to confirm identity. The key point would be to give no identity or contact details.
I called a closed relative about this tonight and found that yesterday they had received the same kind of call and (unfortunately), while being suspicious, still continued the conversation. She did confirm her email address with them (as used for Paypal account) and was sent a text with a series of numbers. They asked her to read the numbers to them 'so they could confirm the details of the problem' and (for some reason) she did. The next day she checked her Paypal account and found that numerous small to large ($5 to $300) payments had been made to a person she had never heard of. She called Paypal and had the payments reversed, changed her password and then had a second layer of security set up (security code by text to phone) for all future payments.
It seems that the scammers had accessed her account. However at no point did she give her password.
How was this possible?
I am also concerned that they called me, her direct relative living about 1000km away, within 24 hours with the same scam. Could it really just be a coincidence (there are 26 million people in Australia)? I cannot see how they have performed these payments without somehow finding her password. I can only think that it might be a vulnerability in the Paypal App or the browser Apps on the iPhones we own - or maybe a third party app that accessses passwords associated with the number on the iPhone , the remaining piece of info needed being the Paypal account email?
I really have no idea, but the ease with which they accessed her account apparently based only on knowing her phone number, account email and having her readout the sent numbers is very concerning.
In the meantime I have asked her to change all her passwords, but that really doesn't fix the problem - how did they access her account?
Does anyone know any more on this?
Could Paypal staff comment and possibly look into this?