In mid-March, a merchant began receiving money into his PayPal account from bogus transactions and contacted PayPal. Neither he nor PayPal was able to get the money to stop arriving into his account, so PayPal restricted the merchant's account. For over 2 weeks, the merchant was unable to use his PayPal account to take orders, and while it does not appear to be a common occurrence, it could happen to any online merchant who becomes the victim of a determined fraud campaign.
The merchant, a programmer who sells scripts on his website, contacted us after the bogus transactions started arriving. And so began our investigation into a baffling case of online fraud in which we learned about some PayPal features that every merchant should know about and be prepared to use.
The merchant was using PayPal's Add to Cart buttons and PayPal's shopping cart. The payments began coming from different, bogus, email addresses on Sunday, March 15; by Wednesday evening, the payments were still arriving. At that point, he removed all Add to Cart buttons from all pages on his website, but additional payments continued to be deposited into his account.
We wondered how scammers could use bogus information (including email address, physical address, and phone number) to send payments through PayPal with credit cards that were, one would conclude, compromised or stolen. (Another obvious question was, what was the point of sending payments to the merchant, whose account the scammer could not access.)
PayPal spokesperson Michael Oldenburg said the service allows merchants to accept payments by two methods. The first is through their PayPal account, which they can fund several ways including bank account, credit card or their account balance. The second method is through direct credit card payment, which PayPal refers to as a guest account.
Once a customer clicks on a merchant's Add to Cart button, they are taken to PayPal's website where they can enter their credit card information without having a PayPal account. So why didn't PayPal's fraud filters catch the fraudulent transactions? We'll examine this more closely in Part 2 of this series. Did the merchant have the option of rejecting all payments other than shoppers who have valid PayPal accounts? Read on.
PayPal Account Optional
Throughout the ordeal, no one at PayPal suggested to the merchant that he turn off the option to accept direct credit-card payments, something he now believes would have immediately prevented the bogus transactions from being processed. The first time he heard of this capability was three weeks after the bogus payments started, when a new PayPal representative reached out to him. We suspect many merchants may also be unaware of this feature, called PayPal Account Optional.
The default for PayPal Account Optional is "on," which means merchants' settings are turned on to have the ability to accept direct credit card payments by default. Many merchants will want to keep it turned on so they don't lose sales from shoppers who are unable or unwilling to sign up for a PayPal account. (PayPal also benefits from guest accounts since it is a customer acquisition tool - on their receipts, PayPal urges them to create a PayPal account.)
However, if merchants are in a high-risk category or if they find themselves in a similar situation as the merchant in this story, it's good to know how to access the feature. For more information, look for PayPal Account Optional on this page.
AuctionBytes received an update from PayPal as we were going to press:
This was a rare occurrence, as we discussed, with a new type of fraud. Our fraud models worked as they should in detecting the bad payments, which is why they were limited, but I understand that it was frustrating for (the merchant) as we worked to stop the payments from coming through.
One thing I wanted to make sure to point out is that the vulnerability in our PayPal Account Optional feature has since been closed, so we've already fixed the issue that allowed these payments to go through. So, it wouldn't be accurate to advise that merchants turn off this feature to protect against this going forward. Of course, merchants always have that option if they'd prefer to do so.
More on this, including insight from industry insiders will be published tomorrow in Part 2.
Comment on the AuctionBytes Blog
