While working in my office this week I received an email "receipt" from Paypal reporting a $10.00 payment to Skype (an online phone service). I've not used my Paypal account in some time, so my first thought was that this was a fake Paypal email. After all, it is commonly known that Paypal is regularly fighting the fake emails that are sent out hoping that the recipient will click on the embedded links. See, How Do I Report Paypal Fraud or a Paypal Scam. Nevertheless, I logged into my Paypal account to make sure (opening a new browser and entering the web address manually). There it was, a $10 payment to Skype on my Paypal account. The email I received was not a fake one from Paypal. It really was a receipt for a $10.00 charge.Now, I do have a Skype account that I used when travelling abroad (worked great in Moscow), but it is not active at this time with any on-going subscriptions. Moreover, I never used Paypal to pay Skype in any event. I logged into the Skype account to verify nothing was active, which was still the case. Apparently, there have been some complaints that consumers are unable to cancel Skype once they open an account (see Skype forum).
Since the problem did not appear to be with Skype, I called Paypal. Although it took two customer service reps to get to the bottom of the problem, it turns out someone had logged into my Paypal account four times that day and authorized the transaction to Skype. Kudos to Paypal for agreeing to reverse the charge quickly and sent me an email within 24 hours "resolving" the case in my favor and saying that the charge will be reversed within five days on my American Express card.
Luckily for me, I do not have my bank account connected through Paypal. Paypal does, though, encourage users to connect bank accounts. As a payments professor I can easily imagine the havoc a Paypal hacker can create by draining a user's checking account, leaving the user waiting as long as ten days for a provisional recredit (Federal Reserve Consumer Handbook to Credit Protection Laws: Electronic Funds Transfers). So, consumers should exercise caution with all payment devices that are connected to their checking accounts in case of fraud, including both debit cards and services like Paypal.
A final interesting question is why did the thief choose $10 and why Skype? The $10 amount is not as likely to get noticed or to encourage authorities to make the chase. Skype is a European company which also might make catching thieves more tricky. But, since it deals in phone services, the thief probably either used the $10 asset before being caught or resold it to someone else. All of which contribute to the success of the hacker in these instances. What else can be done in these cases? It seems that the best solution is preventing the hacking in the first place through better security. Not sure how the hacker managed to get into my Paypal account, but there appear to be web sites that claim they can instruct you how to do it. Just another wild day in modern payment systems.
-JSM
