PayPal glitch threatens to cancel echeque payments

October 25, 2008

PayPal echeques are a pain point at the best of times. Buyers often think they’ve paid and don’t understand why sellers don’t ship immediately. Sellers are frustrated at having to wait up to 10 days for the funds to clear and when an echeque doesn’t clear it’s often days until it fails and they have to request the buyer to repay by an alternative method.

Now the latest glitch from PayPal is an email informing sellers that their echeque payment will be canceled if they don’t “claim the funds”.

Dear Chris Dawson,
Claim your funds
You received 4.99 GBP from xxxxxxx@xxx.xxx on 23 Oct. 2008. If you do not claim your funds by 21 Nov. 2008, this transaction will be cancelled and the money will be returned to xxxxxxx@xxx.xxx’s account.
Log in to your PayPal account to view the details of this transaction.
You are being asked to manually claim this money because:
You are one of our high-volume customers. We ask PayPal users who receive more than $10,000.00 USD per month to complete our Supplemental Merchant Information form.
To fill out the form, click the link below:
https://www.paypal.com/uk/MERCHANT
The information you provide helps us protect the integrity of our network. Payments sent to your PayPal account will be held as ‘Pending’ until you complete this form.
If you have questions about this transaction, log in to your PayPal account and click on History found towards the top of the page. Click on the details of the transaction in question for more information, or to accept or refuse this payment.
Yours sincerely,
PayPal

The echeque detailed is due to clear on the 31st October, in the mean time there is nothing that can be done to “claim” the payment or to get the echeque cleared quicker.

The email, although addressed by name, resembles spam and has the one thing that PayPal advise they never to do - it contains a clickable link requesting users to log into their account to update their information. Quite frankly all the time PayPal send emails with links in it’s no wonder that unsuspecting users fall for phishing emails. Using US dollars in emails to UK customers makes the email look even more suspicious.

Reporting the email to PayPal elicited the response “That is a spoof email. We would never ask you to fill out your business information on a link. We would ask you to log on to your account and follow steps to complete”. Sadly the emails aren’t spoofs - they’re addressed to the correct name containing details of a genuine transaction and the link is to a genuine PayPal page, they’re just a PayPal glitch.

PayPal have a new website intended as a fun interactive way to learn about online safety with a test. The correct answer to how phishers prey on victims is “Describing threats to your account and stating you must authenticate your information immediately followed by a link”.

In order for the advice to be taken seriously PayPal themselves should never send emails requesting users to click links and update their information.

Written by Chris Dawson · Filed Under Glitches, Paypal | 17 Comments 

eBay close spoof@ebay.co.uk email address?

October 24, 2008

eBay’s safety center requests users to forward spoof or phishing emails to spoof@ebay.co.uk or spoof@ebay.ie.

There are two reasons for this - firstly eBay will advise you if the email is genuine or if indeed it is a spoof. Secondly eBay have automated scanners which parse the email for web addresses and, if an unknown possible phishing site is found, alert a real live human to check the site out and start working to get it removed from the Internet.

Until the phishing site is taken down, which can take time especially when working with overseas Internet Service providers, eBay can drop the web address into a database so that your Internet browser can flag it as a phishing site (normally by flashing red).

I was somewhat surprised tonight when forwarding a spoof email (to spoof@ebay.co.uk) to receive the following reply - I hope it’s a temporary glitch rather than the service being discontinued:

Hello,
Thank you for your email. You’ve received this automated reply because the method used to contact eBay is no longer in use.
To send us your query, click ‘Contact Us’ on any eBay Help page.
We’re sorry for the delay. We look forward to helping you resolve your query as soon as possible.
Regards,
eBay Customer Support

Strangely, although sending an automated reply, to let me know spoof@ebay.co.uk is no longer in use, the reply still had a KMM reference in the subject line! If you receive the same reply resend any potential spoof email to spoof@ebay.com as that reporting email address still appears to be working.

Written by Chris Dawson · Filed Under Glitches | 6 Comments 

eBay UK launches Enhanced Member Reporting

September 23, 2008

We’re hearing from several eBay members of invitations being sent out by eBay UK to join a new programme, Enhanced Member Reporting, which will allow selected trusted eBayers to more easily report listings which breach eBay policies. Reports received via EMR will be given higher priority for investigation by support staff. One member who joined up supplied me with some screen shots:



Members of EMR are able to report multiple items at once, without the tedious cut and paste of item numbers that the rest of us have to go through. They are also apparently able to report another eBay user, rather than simply their listed items: useful for shop headers or user IDs that breach links policies, for example.

Though eBay seem to be targetting members they believe to have expertise in specific areas, they’re keen to point out that abuse of the program won’t be tolerated. The email sent to new joiners spells this out:

Abuse of this tool in a pattern of unfairly ‘targeting’ items that are not in violation would result in removal from the Enhanced Member Reporting program at a minimum.

As the initial email asking if members are interested in joining EMR is sent out as a text email and does not apparently appear in My Messages, several recipients have assumed it’s a spoof. Forwarding to spoof@ebay.com gets it confirmed as a spoof, but in fact, it’s genuine.

Those who don’t reply to the initial email are then being contacted by eBay by telephone, again with no actual proof that they are calling on eBay’s behalf. When the company is putting so much effort into other programmes to ensure member safety, it’s a shame they can’t follow a few of their own guidelines.

Written by Sue Bailey · Filed Under Site Changes, eBay.co.uk | 27 Comments 

Google to protect users from eBay & PayPal spoofs

July 8, 2008

eBay and PayPal have announced today that Google is working to eliminate spoof emails and protect Gmail users from eBay and PayPal phishing. Google are to implement Domain Keys authentication and will reject any email purporting to be from eBay or PayPal and delete it before it even arrives in Gmail users’ inboxes.

Yahoo! were the first to implement Domain Key checking for eBay and PayPal emails back in October last year, and Gmail will join Yahoo! Mail as one of the first to protect their users from phishing.

Michael Barrett, PayPal’s Chief Information Security Officer spoke of Google’s desicion calling it “a significant step forward in our fight to keep consumers safe from phishing and cybercrime”. For me as a seller it’s great news to know that millions more unsuspecting buyers will have their accounts protected. Safe happy buyers spend more, and that’s what eBay is all about.

  • Written by Chris Dawson · Filed Under News | 3 Comments 

    PayPal confirm genuine emails are spoofs

    May 26, 2008

    I received an email from PayPal last week, notifying me of a payment reversal by the buyer’s bank. I wouldn’t normally quote such things in full in public, but I don’t think I’m betraying any confidential information here because the email is strangely lacking in any sort of information at all:

    We were recently notified that a payment you received was reversed by the buyer’s bank. A bank reversal can be requested by the bank itself or by the bank account holder.

    We have placed a temporary hold on the funds until our inquiry is complete.

    We are contacting you to learn more about this transaction.

    To help in our investigation, please reply with the following information within seven calendar days:
    #. Details about the item you sold
    #. The buyer’s name and address
    #. Whether or not the item has been sent. (If you have not yet sent the
    item, please do not send it.)
    #. A phone number where you can be reached for more information
    #. Any email correspondence you have had with the buyer

    If you have already sent the item, please also provide:
    #. Name of the delivery service used
    #. Date of posting
    #. Tracking number

    For transactions of $250.00 USD or more, please let us know whether you
    would be able to provide a proof-of-receipt in the form of a signature
    from the buyer.

    I was really not sure whether this was a real email or not. So like a good eBayer, I forwarded to spoof@paypal.com. Then I signed in to my PayPal account, and sure enough there was a reversed transaction. Was this a real PayPal email, or just a spooky coincidence? I erred on the side of protecting my PayPal account, and replied to the email with the information requested.

    This morning, I had two emails back from PayPal: one from customer support thanking me for the information I’d supplied, and the other from spoof@, thanking me for forwarding the spoof email and confirming it wasn’t genuine.

    At this point, I started to wonder whether it was me or PayPal who had gone mad: but Jane the demon bead lady confirmed in our forum that exactly the same thing had happened to her.

    I can understand that PayPal might not want to send out confidential financial information in emails, but the above email is completely inadequate. How many sellers are going to see it lacking any kind of credibilty, assume it’s a spoof and delete it, only to have PayPal return the payment to the sender a week later because the seller hasn’t complied with the information request. At the very least, this should say “please sign into your PayPal account and supply us with the information requested through our website”, rather than using email for investigations.

    As for spoof@paypal.com, it’s long been my suspicion that they tell us that everything is a spoof, just to be on the safe side. If genuine emails can and are being flagged as phishing, then really what’s the point of having spoof@ at all?

    In the meantime, any sellers receiving such an email should sign into their PayPal account to check whether a payment really has been reversed before replying to *or* deleting the email.

    Written by Sue Bailey · Filed Under Selling Tips | 8 Comments