PayPal Community

Based on the evidence, I believe a sophisticated bot has scammed me into diverting a payment from my intended recipient. I want to report this to the official site, but I am going, in this not, to alert the public to what happened. In this public notice, I will use pseudonyms; and when I report to the authorities, I will use the true information.

The person to whom I wanted to send money is someone I'll call John <removed>, and the recipient gave me the email address connected to PayPal. I will call the site <removed> I submit the payment to the address, and the symbol indicating a successful payment happens, and a new entry for "John <removed>" appears on the list of payees

Several days later, John writes me an email, saying they’re still waiting on a payment, so I go to PayPal and look at the address shown and forward that to my friend, the payee. Before John can get back to me, however, I notice that the listed address is <removed> . I think, "Ahhhh", I simply spelled the name wrong; so, without waiting for John to reply back, I make the one-letter correction to <removed> When I do, I see a new payee with a different name, which, in no way, resembles "John <removed>". I have since written to <removed> , but no one has replied to that message.

I do programming and data analysis professionally, and what I saw led me to conclude that my payment was intercepted by a sophisticated bot.

Had I, in fact, typed <removed> the first time through, I believe the system would have flagged the misspelled address as non-existent, and I would not have gotten the "OK" symbol, saying my transaction had been successful. To my mind, there is no way the system would have come up with "John <removed>" as the recipient: it would do one of two things: 1) flag the address as incorrect and give me an alert that the payment was not successful; or 2) if the system noted and corrected the error for me, it would not have set the status to "pending" nor have left the misspelled and nonviable address for me, given that I would be doomed to fail if I tried to make contact. None of the things happened that I would expect from a legitimate posting. Instead, all the signs point to a hijacking of my payment, and the trap sprang when I stepped onto a carefully sculpted and camouflaged trip wire.

Unless someone can view the same facts and come up with an innocent explanation, I believe the following circumstances set the stage for a bot to exploit:
1) This was a first-time payment, and I had seen the correct address only once and had no familiarity with what the address should be.
2) The transaction registered as successful, and the system added the person's true name to the roster of payees.
3) The original address constitutes recognizable words and a name. The bot can automatically recognize and use those same words, while also recognizing and truncating a person's name.
4) After having said that the payment went through, the payee is mysteriously listed as "Pending".

-- The "Pending" condition represents a point of vulnerability in the system. There are legitimate reasons for a "Pending" status (for example, if a package is being delivered, payment may be legitimately pending until it is documented that someone has received it) ; but, while on hold, there is the possibility for malicious intervention, which is what I believe happened. When I report this to the authorities, I am going to ask them to check the duration of time that the address <removed> has been in existence, and I expect the answer to be less than one week. I would also not be surprised to find that the person's name associated with the account is falsified and the account with that address is now closed.

Any payment service must rely on the person logging in to authorize a payment, and this is where I see craft in trap setting. The key to springing the trap is to trick the one signed in to authorize payment to the address it has tricked me into using.

If something like this were to happen again, I would take 3 precautions:
1) Don't rely on my intuition to fill in the gap, but go back to the original communication, in which the person told me the address in the first place. If their is a notable discrepancy, report it immediately! The odds of catching a thief is greater when the account is still open and the trap is still poised.
2) When trying again, lower the stakes by sending a few pennies to the intended recipient and verify that the intended recipeint has received those pennies before sending the full amount. In fact, with this experience, I will likely begin, initially, by sending a few pennies any time a new payee is involved.
3) Any time a transaction is listed as "Pending", go with caution. Predators may be lurking outside an open window.