Created: February 25, 2021 07:19 PM
ROCHESTER, N.Y. (WHEC) — It's a consumer's nightmare. A Henrietta woman discovered tech-savvy swindlers had stolen hundreds from her bank account.
How? They made fake purchases on her eBay account. And that’s not all. Access to her eBay account gave them access to her PayPal account and ultimately her checking account. And what happened to her, could happen to any of us.
Amanda Thompson and her husband, Lane, are comfortable navigating the labyrinth of listings in the daunting enormity of eBay's marketplace. But when crooks collared the cash straight from their checking account, they never saw it coming. The first hint of trouble came in the form of a notification from PayPal. When she opened the account, she found a receipt indicating she had made three purchases on eBay. But she hadn’t bought anything. So then she went to her eBay account and clicked on purchase history.
“I found three purchases - one for a hand blender, one for some type of mixer, and one for a porcelain bowl which I had not purchased," Thompson recalled.
Her eBay account is linked to her PayPal account, and that is linked to her checking account.
"So I called the bank the next morning because yes, all three of those did come out of my bank account,” Thompson said.
Ouch. Thompson had been hacked. First, this thief established a fake eBay account pretending to be a seller. The seller's handle was jeanga-2174. And he or she had been busy.
The seller had “sold” almost 50 products from a fake account. And each sale was followed with a glowing review adorned with decorative designs. There's little doubt the reviews are fake.
But the thief was thorough. His so-called receipt showed a transaction number and a Fed-Ex tracking number. But that tracking number was linked to a Fed-Ex envelope, and the thief was allegedly shipping a hand blender. That had to be fraudulent as well. After all, a hand blender can’t fit in an envelope. And the tracking number indicated that an envelope was sent from one local business office to another. And I had names. So I went to the alleged sender’s office to ask a few questions. I easily found the employee who had allegedly sent the package. I introduced myself and asked her whether she’d been selling items on eBay. The employee was shocked, insisting she had never used eBay.
I emailed the corporate office of that local business and their team discovered “the tracking number you provided was a legitimate tracking number associated with a legitimate business transaction."
That means this business is also a victim of this crafty con artist. A local police investigation confirmed my findings. The hacker had stolen that company's valid tracking number. But why? My search of eBay seller policy would lead me to the answer. eBay will pay the seller "within 24-hours" if they "manually enter tracking information."
"In order to get the payment you have to show them that you shipped the product and a way to do that is to provide them with a valid tracking number," said Lee Drake, a tech expert and CEO of OS-Cubed, a Rochester-based technology company.
Drake is not at all surprised that the scam is incredibly elaborate.
“The way these guys stay under the radar is that they do a lot of small transactions instead of one big one,” Drake said.
Bingo. The thief in this case made small purchases through the eBay accounts of almost 50 victims. That means he pilfered more than pennies. If, like Amanda, he stole about $300 from each, that amounts to $15,000 in about three days.
When I contacted eBay, a spokesman said, "Unfortunately, it appears this customer was a victim of a phishing scam that did not originate on eBay."
Drake agrees that was likely the case.
It's initially possible that her email account got compromised," Drake said.
And Thompson’s email provided an open door to her eBay and PayPal accounts.
"I actually never really changed my passwords before because it is such a pain to change them," said Amanda.
Experts say creating a different, difficult password for each account is absolutely essential, as is two-factor authentication.
"With two-factor, you type in your user name and password and then you get a notification on your phone that somebody's trying to log in. And then you approve that on your phone and the log-in goes through,” Drake explained.
Thompson’s bank acknowledged that she'd been scammed and replaced her stolen cash. But there's no doubt this experience has changed the way she shops online.
“I am on high alert keeping track of my bank account my PayPal account. Normally I don't pay much attention to it. Now I pay more attention to it,” Thompson said.
I spoke to the folks at eBay at length and they would not tell me how often eBay users are defrauded, but they insist it's rare. But experts say this kind of fraud on any e-commerce site is commonplace. In fact, your email has likely already been hacked. In one of my recent consumer investigations, I revealed that security experts at Cybernews recently found 3.27 billion unique emails and passwords on the dark web.
All these emails and passwords were not from one breach. Instead, hackers had compiled them from dozens of breaches. And because so many folks use the same password over and over again, thieves are using your email password to see if they can get access to your other accounts, like your banking app or your Paypal account.
So here's what you can do. Go to the website HaveIbeenpwned.com. The word pwned, (pronounced poned) is taken from video game culture. It means to control or conquer someone. In internet-speak, it means have I been breached.
So I put my husband's email into the search engine. I already knew that it had been compromised, but according to the site, it's been breached nine times and has been pasted once. That means it's been shared on a public website where hackers can easily share information.
Bu. my husband frequently changes his passwords. So I wanted to see his password had been compromised as well. I went to the website, Pwnedpasswords.com tells me it has not.
So now you can clearly see why we all need to change our passwords. And make sure you create unique passwords for each of your accounts. Here's how you can do that easily. Go to 1password.com. It will generate unique passwords and store them for you.
As for eBay, a spokesman wrote me with the following advice:
Here are some key resources & tips:
Recognizing legitimate contacts from eBay
Copyright 2021 - WHEC-TV, LLC A Hubbard Broadcasting Company