When cyber thieves use PayPal as portal to bank account
Ronda Mills is used to drawing crowds. She produces art festivals throughout Southern California, including multiple events annually in Palm Springs and Burbank.
But one place she doesn’t like seeing a lot of traffic is her Wells Fargo checking account, which has been repeatedly drained by scammers in Canada and India who have fraudulently linked it to online PayPal accounts.
This has happened four times over the last two years, and each time Mills, 54, has had to close her checking account and open a new one. The latest breach occurred this month.
“It’s been a huge hassle,” the Valencia resident told me. “I have a lot of automatic bill pays, and each time I have to shut them all off and then reset them. I’ve also had a lot of bounced checks as a result of this.”
And, amazingly, neither Wells Fargo nor PayPal has been able to get to the bottom of the problem and keep the scammers at bay.
Mills’ troubles highlight the ease with which con artists can access people’s money using digital-age financial services like PayPal, which is owned by auction giant EBay and is used to facilitate online payments.
It also serves as a warning that existing safeguards can be of little help when scammers apparently have ready access to confidential financial information.
At this point, nobody knows how the scammers were able to obtain Mills’ checking account and routing numbers, even though she was issued new numbers each time.
It’s possible the scammers have access to Mills’ computer via a software virus or some other high-tech means. It’s possible the account of one of Mills’ business associates has been hacked, providing access to her financial data. It’s even possible the leak comes from someone at Wells Fargo.
Mike Vergara, PayPal’s director of risk management, said he’s betting the problem lies with Mills’ computer.
“The scammer probably has malware in the machine and has access to all her information,” he said. “Even if she keeps changing her account, the malware gives access to the new number.”
Vergara said cases like this are still relatively uncommon. “But, regrettably, they’re growing,” he said.
Maybe that’s partly because of the seeming ease with which hackers can penetrate a bank account via PayPal. To set up a connection, you need to verify that a bank account is yours by reporting to PayPal the exact amount of small deposits made by the service.
In most cases, a would-be scammer wouldn’t know how much PayPal was putting in someone else’s bank account. But if a hacker has infiltrated that person’s computer, ascertaining the amount deposited may not be difficult at all.
And suddenly that account is vulnerable to attack.
In Mills’ case, Wells Fargo was able to determine that the breaches originated in Canada and India, where the scammers had apparently established their PayPal accounts.
Vergara advised all consumers to routinely check their bank accounts for tell-tale deposits of less than $1 from PayPal or a similar service, especially if you don’t regularly use these cyber-payment services. They show that someone is probably trying to access your cash.
If you see anything you can’t explain, immediately contact your bank.
Vergara also said people should do everything they can to keep their computers safe, using the latest browsers and security software.
And if some sort of virus or malware is detected, he said, seek professional help. Often, these programs are so sophisticated that it takes a true techie to chase them down and bottle them up.
Jennifer Langan, a Wells spokeswoman, said the bank would work with anyone who has been victimized by such a scam as long as it’s notified of the security breach in a timely manner.
She said Wells has ensured that Mills has been refunded all cash stolen from her checking account and that her credit record remains unblemished.
But if your bank won’t do the stand-up thing and make good for any scam-related losses, Vergara said, PayPal will refund any money that can be shown to have been stolen via the online payment service.
“You can never be 100% safe,” he said. “But if you’re vigilant, you can probably keep the bad guys away.”
Consider yourself warned.
David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5. Send your tips or feedback to david.lazarus@latimes.com
