/ Scams

Scam watch: did PayPal misunderstand remote access software fraud?

Remote access software is commonly used by scammers to commit fraud. Here’s how it was used to transfer £5,000 from a victim’s PayPal account.

A scammer transferred £5,000 from a victim’s PayPal account after logging into their computer using remote access software. They reported the fraud to their bank and to PayPal immediately.

Remote access scams: the call that could wipe out your life savings

The bank did a good job and stopped any money from leaving their bank account, but PayPal disagreed that it was a fraudulent transaction and sided with the scammer. PayPal then began to pursue them for the money, threatening the victim with debt collectors.

Investigating fraud

PayPal’s buyer policy promises it will investigate fraud on its platform and says that customers aren’t liable for unauthorised purchases. Yet it may have quickly jumped to conclusions in this case because the transaction was made from the victim’s usual device and location associated with their account. That’s because scammers had maliciously accessed their computer.

It appears PayPal misunderstood a tactic increasingly being used on its platform to defraud its customers and decided the transaction was authorised by the victim. We challenged PayPal that this was in fact an unauthorised transaction because the victim didn’t give permission for the payment.

The large payment amount was also uncharacteristic for the victim; a frequent user for more than 10 years. This, coupled with the fact that the receiving account was based in Australia, should have raised suspicions.

PayPal has since investigated further and said:

Unfortunately, as [redacted] had given the fraudster access to her computer and the PayPal security code, the fraudster was able to send a payment from her PayPal account. When she realised that this was a scam, she claimed that she had not authorised the resulting payment. We rejected the claim as she admitted that she had willingly provided her details to a third party. But we were able to recover the funds and return the money to [redacted] account. We are pleased that the matter has been resolved.

Remote access software scams

If you’ve been affected by fraud on PayPal and you’re struggling to get support, remember that the platform is also covered by the Financial Ombudsman Service, and you can escalate your case if necessary.

Guide: getting your money back after a scam

Have you been the victim of a remote access software scam? Did it involve PayPal, or another brand, such as Amazon? Let us know how the situation was dealt with in the comments.

Comments

@lmerryweather. Lauren, how did remote access softwate get put on the victim’s computer?

If known, that would be interesting to learn.

Previously, we’ve seen that the goal of many telephone scams is gaining remote access to a victim’s computer.

But there may be other ways of achieving that. For example, “free” software from suspect sources can often install additional unwanted software.

I’ve also seen cases where careless or clueless Web browsing can lead to the installation of malicious browser extensions, which change the search engine and may do other harm.

As part of the scam, the scammers (over the phone ) instruct the “victim” to Press the windows key and R then type xxxxxxxx then select install. They basically get the victims to install it so they can talk them thru getting a refund etc. There are plenty of videos on youtube explaining phone scams.

One way is by fake emails claiming to be someone like UPS or DHL etc, or some other well known trader or service provider etc. and the victim clicks on it and then the program gets installed in an instant in the background without making itself obvious, and you only find out later when you fall victim to it. These emails can look very authentic complete with the company logos and phrases etc. It could even resemble your home or car insurance provider for instance. This is why we must now all use top of the range security packages and forget the basic free ones which are a waste of time in my honest opinion. Another way is by clicking on ads in your browser, so don’t touch them. A good security program will have search advisor indicators which appear next to each search result indicating whether that site is safe or not, they’re usually green for a known safe site, yellow or amber for a possibly dodgy site, and red for a seriously dangerous site etc. And of course Which? have a page showing which security programs are any good so you can make an informed choice. And of course do check the security settings in your browser and make sure it’s set up securely. The default settings are not always the best.

Hi Lauren,
Who did the scamming? Was it someone known to the victim?

@lmerryweather, thanks Lauren. So the victim simply allowed someone she did not know access to the computer? That seems very negligent. Like leaving your front door open when you leave the house, your car key in the ignition, letting someone see your PIN. I really do not see how you can blame someone else for the consequences and why the bank should pay for the victim’s negligence.

I was told remote access software should be removed once it had been used for a particular purpose. Many of these scams seem to revolve around victims lack of knowledge or awareness. Perhaps if banks (actually you and I) are to, by default, made responsible for their clients actions the banks should carry out a test of their capabilities before allowing them full access to account facilities, and granting only limited facilities to those who are less capable.

I had 3 supposedly from DHL. the problem is I was waiting for a parcel, but as I have never had 1 delivered by DHL I decided to go on their website to look into their delivery notifications. The emails I had received didn’t seem to tally with the ones DHL said they send so I deleted them. I then received another one, 1 hour after my parcel was delivered by the usual delivery service. I did try to install their Parcel tracking app the first time, but luckily my phone and my security on my phone blocked it saying it was unsafe

Excellent suggestion @malcolm_r. Those of us that pay to keep our devices secure and avoid phishing, malware and social engineering, should not be underwriting the losses of those who don’t take any precautions or simply don’t know what they are doing. At least our accounts should have a higher rate of interest / lower monthly fees in recognition. A bit like a no-claims bonus for careful drivers.

Matt says:
29 April 2021

I think Paypal are the bigest scammers here, there press release/reply is shameful.

I know about remote access software, I’ve seen it in use for remote servicing of a PC a couple of times, and of course it can also be used maliciously. That is why you MUST always make sure you have top of the range security software installed and kept updated and it’s also why you must have long and complex passwords on everything, all your online accounts, your email server, your ISP account, your security program etc. and keep them written on cards and keep them locked up securely at home and don’t use fancy “password managers” or anything similar and don’t tick the “remember me” or “stay logged in” box anywhere and of course never save passwords on your device or on any online storage system, it’s asking for trouble. And of course never admit liability for something that’s not your fault. Remember far too many sites don’t use end to end maximum security encryption which should be compulsory these days so that’s all the more reason to practice maximum secure routines like I’ve outlined above. The more supposedly “carefree” you are with your sensitive stuff the more likely you are to fall victim, you must never let your guard down while online, and of course DON’T save anything seriously sensitive on any network connected device, I don’t, no chance! And also remember that simply deleting stuff from your hard drive isn’t secure either, as it doesn’t destroy it but only overwrites it and it can be recovered using remote access software, so use file shredding software which is often included with good security programs. And of course also NEVER use the same password for more than one account. And trading sites like supermarkets and diy sheds should be BANNED from demanding that you save your card details on their site, that’s something I furiously object to, especially as tesco’s customer database has already been compromised and is on the dark web which looks like proof that they don’t use adequate security and therefore can’t be trusted.

For further enhanced security, it is a good idea to use two factor authentication where possible. Typically, this involves a password that the user will know and a one time pass code that will be sent to or generated on a second device, such as the user’s phone. I think all my bank’s now require this one way or another.

curry’s pc world know how maintenance team used to be you could take your computer into them or if you cant get out due to disability etc. either they would come and fix it inhouse or take it in for you and bring it back to its home when fixed. now they use remote access all the time. they are pretty good at finding n fixing computers that way ill admit but often wondered how safe it is… admitted with covid being so virulent ,rules n regs being so strict its been difficult for all walks of life and weve all relied more than ever on our computers for so much over the past year. None of us would have wanted to be without, be it wanted for work, school work, shopping or simply keeping in touch with others and the news. but as someone pointed out remote access can be misused. And no one really knows whose on the other end of the line. no matter whether they say its know how or whatever

That is a good question, Dee. Never allow anyone to use remote access if they have called you or call the company using a number provided in an email. If you are prepared to allow remote access I suggest you keep a record of the genuine number in your phone book.

If you do make call and allow access to your computer you are at some risk, just as you would be if you took your computer into a shop for repair. It’s possible that any of us could need help with a technical problem, so it is worth assuming that this could happen or that the computer could be stolen. Having a list showing accounts and login details on the computer would be convenient but could be asking for trouble

Crusader makes a lot of good points. I have suggested to my parents that they should keep a book or card index of their passwords. If you’re a reluctant user of the internet who is trying to minimise your exposure, while still accessing essentials like banking, shopping, utilities, etc then it makes total sense. Especially if you just access the internet from a desktop computer at a desk with a full size keyboard.

However, a lot of people are now accessing the internet from multiple devices, mobiles, tablets, laptops, games consoles, etc. Many of the accounts are shared across families, like Netflix, end-to-end encrypted cloud storage, photo collections, etc. Manually entering long complex unique passwords is just not practical on devices without keyboards, especially when out and about. If forced to do it, most people will choose a short insecure password instead.

Password managers solve all these problems, lock your passwords in an encrypted vault and allow you to share selected passwords with family members. Some password managers also allow you to share two factor authentication codes, so you can turn-on 2FA for accounts you share with your family. If you want to take full advantage of what the internet has to offer then I don’t see a realistic alternative.

I have some family members who are pretty useless at remembering passwords and also at keeping track of them by handwritten means. I’ve met others who have the same problem.

From that, I’ve concluded that not all options will suit all users.

Some passwords – like bank ones (and any that can be used to order and pay for goods and services under continuous payment authorities) do need to be kept as secure as is practicable.

For non critical passwords, I think it is a good idea to let web browsers (and other password managers) store them, so long as they are not the same or similar to any important passwords. For example, I’m not too bother by the prospect of anyone hacking my W?C login password.

I adopted this approach when it became clear that it really is not a good idea to use the same passwords for different purposes.

Thankfully forgetting a password is usually easy to sort out.

Agree with all points. However, I would point out that additional security, in particular two factor authentication(2FA), can have significant benefit. Select a form that requires the use of a second, independent device that is not connected to your Windows account, for best protection. When using a password manager, do use a paid version that requires a password to be entered before supplying payment details or downloading a password list. While added security would not have stopped this particular fraud there is no reason for not raising additional roadblocks that may make the fraudster think there are easier targets.

I was also manipulated via a supposed Microsft advisor into PayPal fraud to almost £3000, with the scammer also setting up a PayPal Credit facility to gain another £1500. I contacted PayPal to investigate this action, as I never authorised any amount being sent to a Nepal account at all, via a PayPal subsiduary company called XOOM, which was all verified by a PayPal representative over the phone, to which he upgraded to Fraudulent activity through complaints department. After a good period, PayPal resolution centre came back, upholding their findings, saying they could not see any fraudulent activity at all and no help from them at all to recover the amounts or Credit facility raised.
My Bank successfully recovered all my money and blocked any further attempts by scammer. I have closed my PayPal account of 17 years ( no longer trust them) , had my telephone numbers and email address changed along with computer checked for any underlying interference.
The experience was heart wrenching and worrying, that PayPal did not recognise an activity of a long time account holder was not his doing. Totally disgusting !

I was scammed on a phone call supposedly from Amazon. They took £699 from PayPal. I messaged PayPal immediately and asked them not to pay this amount as it was a scam and I didn’t authorise it. They said because it came from my phone, it was an authorised transaction and case was closed. I wrote them another e-mail stating that it WAS unauthorized and I wanted my money back. I said my bank fraud dept were going to deal with it. PayPal then proceeded to refund me the whole amount.

Paula – just a quick point, Amazon do not use Paypal for anything. You cannot pay for anything on Amazon using Paypal. Additionally, Amazon will never phone you asking you to pay anything.

I have zero sympathy for people who fall for these scams – NEVER allow anyone remote access to your PC, not even for purportedly legitimate purposes. Always question and double check – preferably by contacting the company direct, by websearch not via any links you have been given. [edited] Why should banks and financial companies be liable for a customer’s basic lack of knowledge?

[Moderator: we’ve removed part of this comment which did not adhere to the Community guidelines.]

As ,clearly, you have all the brains, what possible chance do the rest of us have?

What you’re saying is true to some extent, but it’s not always down to people’s own lack of vigilance, but of course people these days should be well prepared, like using only one off complex passwords and never storing them anywhere other than on a card locked in a box. And never re-use a password for another account or site etc. See my notes above about online security precautions.

Shirley Cranswick says:
29 April 2021

I am currently going through some detective work as I think I have been scammed. What has really upset me is that I googled the company and was told it was ok but just to double check I went on to a SCAMMER ALERT site and they also said although the company was fairly new the reviews on it were very good and it was a valid site. Mow nearly one month later and no goods appearing I decided to investigate and the initial company email came back with a different name and looking further it had another again. I emailed two of them and got mailer demon back. I am still waiting on the third. I have checked google and the scamming site again and NOW they are saying they are suspicious and possibly scammers!

Shirley, if I was going to set up a scam, one of the first things I would do is post positive reviews on Trustpilot, and scammer-alert sites.

Bite says:
30 April 2021

You can’t trust Trustpilot anyway. The other day I looked up a company that only had 5 reviews each giving only a ONE star review because of pathetic performance yet Trustpilot converted the five ONE stars into an overall TWO star rating, I then added a post pointing this out but the company reported my posting as I had not purchased from them and Trustpilot removed my posting. Almost immediately after another ‘poster’ added a five star review which disguised the original FAKE TWO star rating. Hence my TRUST of Trustpilot is now only barely two star.

I take no notice of reviews and have never followed them up so I don’t know how the process works. I am assuming that people who submit reviews do not pay to do so; presumably the subject company pays. Immediately I sense a conflict of interest. So where do review sites get their money from?

Hi Shirley,

You might find some of the sites listed here helpful in your investigation:
https://conversation.which.co.uk/scams/citizens-advice-pandemic-scams/#comment-1621694

Website checkers do vary a lot and give different results so it is a good idea to check on several sites and use the results as just a guide rather than a given. I would avoid a new site as fake sellers change sites very quickly before moving onto the next one.

Hi
Not long ago I was almost caught out by a Paypal transaction. I received an email thanking me for the Iphone order and saying my account would be charged by £xx. I hadnt ordered one so logged into my bank account- and selected unprocessed transactions – there it was. I rang my bank immediately and asked them to look at this entry. I confirmed it was a fraudulent transaction (don’t know how the fraudster got past the bank’s ‘unusual transactions or security questions) and once passed to the fraud section was informed the transaction had been cancelled.
I also contacted Paypal and informed them I had not ordered this item and the payment would not be leaving my bank account! To be fair to them they asked that I immediately changed my Paypal passwords- which I did

Maureen Wood says:
29 April 2021

I was scammed by so called Virgin engineers, who set up a fake page which looked like my bank account. My bank, Santander, repaid the amount in full after I reported it.

so glad pay pal are on the look out for those that want to scam us . so once again thank you pay pal

A Patel says:
29 April 2021

I’ve had a similar issue with PayPal. Back in October 2020, I had 3 unauthorised payments taken using my son’s email address and his Roblox account. And each time, Paypal said that all the payments were authorised. However, on the days in question, my son did not have his laptop and more importantly, I had set up a two-step verification process with PayPal and at no time did I receive the txt to confirm that it’s genuinely me. A fact that PayPal didn’t bother acknowledging. I have since closed my account. They’re just a bunch of scammers themselves.

Charles says:
29 April 2021

Look this is really simple! Just don’t trust anyone who phones you, texts you or emails you and requests your information “for a security check”. Also if the contact does not have your name in the request it is certainly a scam. Charles

Does anyone have a strong recommendation for top of the range security software which would protect my iMac and iPhone, please? Thanks.

I do not know if they do a version for Iphones or Mac – Appple do not make it straightforward for 3rd parties to do this, in fact they claim you do not need it.
On my Android phone and Windows laptop I use Malwarebytes. I use the paid version and it is excellent. I do not know if they have a Mac/iphone version.

I am using Bitdefender which is well rated by Which? and a subscription covers my iPhone and two Macs. There seems to be a version of Malwarebytes for Mac but I don’t know any users and Which? has not reviewed it. You could ask Kate Bevan from Which? Computing magazine in the Tech Talk Conversation: https://conversation.which.co.uk/technology/which-computing-editor-tech-talk/#comment-1574399

I have had problems with Pay Pal in the past and closed my account because I could not trust them. Also if you use a credit card with Pay PAL then the credit card company no longer cover you for purchases as it normally would. You have to go through Pay Pal for any claims and I have not found them to be very helpful.

I experienced this with Paypal last year. It was a much smaller amount (£79) but after contacting Paypal I was really disappointed with how they handled it. I had contacted my bank too and they refunded the money initially but after pushing the issue for about 2 months Paypal eventually investigated and reported back to the bank that the amount was paid from my usual device! The bank then deducted the amount from my account again. I never understood how this could have happened as I knew I had not spent that amount on my Paypal account and with the vendor (House of Fraser) that the payment supposedly went to. I have not shopped with House of Fraser for years! Incidentally House of Fraser were even less helpful than Paypal! I ultimately had to drop the issue and accept the payment as I had hit a brick wall with both the bank and Paypal.

Brian says:
30 April 2021

Just another typical story about Paypal and justification for why I have refused to have anything to do with them for over 8 or 9 years. I never opt to pay through Paypal and if payment cant be made any other way I wont make the purchase.
Its not until people stop using them and this goes for all the others, facebook, google etc will they ever change their ways and attitudes.

After my Ebay account was hacked & Paypal paid out ( without it even being recorded!) about £200 Paypal stated it was NOT a fraudulent transaction

It is extremely easy to Hack Ebay by changing passwords & jamming the confirmation emails at source.

I closed my Ebay account and Paypal account . Now I do not have & never will have a Paypal account

I have reopened an Ebay account , however do not ive them any Credit Card details .You can do this.
Never leave you Credit Card data on sites which will “save for next transaction”

Always use a Specific card for online purchases , if you have a problem one only has to cancel one card

Michel couque says:
30 April 2021

I had a situation where a scammer tried to move a total of £12000 from my bank accustomed a church in India. Luckily the bank were excellent, but PayPal would not listen to me or eh bank that someone had access to my PayPal account. The bank stopped the transactions and I will never use companies like PayPal again.

Amy Green says:
30 April 2021

Number 1 rule is never, ever, download and install anything on to your computer or phone based on a phone call.

If the police call you telling you they need to investigate your browsing activity, tell them to come and arrest you then hang up. (Its not the police)

If the tax office calls you telling you you’ve been connected to criminal activity and a warrant will been issued for your arrest unless you do as they say, hang up. (Its not the tax office)

If Microsoft calls you saying they’ve detected a virus on your computer, hang up. (Its not Microsoft)

If your bank calls you to say they’ve detected unauthorised transactions and they need to verify some details before unlocking your account, hang up, call your bank back using the phone number on your statement to see if it was a genuine call.

If your mother-in-law calls you, don’t even answer the phone.

“If your mother-in-law calls you, don’t even answer the phone.” – yeah that 🙂

Amy has missed a vital precaution Just hanging up and calling a known number for your bank has been defeated by the scammers who dont clear the line and fake the banks office complete with fake dial tone. Use another phone line or perhaps call yourself first to confirm the engaged tone

Keith says:
30 April 2021

Why doesn’t the article tell people how to prevent remote access.

No it doesn’t – and without that information we may be missing important lessons learnt from this incident.

But, in general, if a cold caller asks for permission to use remote access, this should always be refused. Just say no!

From what I’ve experienced of telephone scams, they usually start by conning victims into downloading and installing remote access software. Many of those software installs now include pop up warnings not to go ahead with the installation, if asked to so by a cold caller. Some of those callers will get very stroppy and abusive if you point that out to them.

But I’m sure there are other ways of getting remote access. For example, Professional and Enterprise versions of W10 already have remote access software built in. The is also a whole range of RAT (Remote Access Trojan) software than can be used by hackers to monitor and control victims’ PC’s. RAT software is designed to be undetectable, unlike conventional remote access tools like TeamViewer.