/ Shopping

Scam watch: PayPal T&Cs exploited to defraud seller

Online shopping scam

A Which? member asked us for advice when his daughter unwittingly became liable for an online selling scam using Paypal.

Which? member Richard Hogg told us: ‘My daughter placed an advert on Gumtree to sell her laptop for £250. She received a call from a lady who wanted to buy it, provided it was OK for her dad to transfer the cash, as she didn’t have a bank account.

‘My daughter gave her account details. The money arrived, so she arranged with the buyer for the laptop to be collected in person.

‘A few days later, she was confused to get a call from PayPal saying that one of its customers had paid her for an iPhone but hadn’t received it.

‘Further investigation revealed the scam – the scammer saw the advertised laptop, then placed her own ad to sell an iPhone for £250. Once someone contacted her to buy the phone, she asked if they would transfer the cash into her friend’s account, as she didn’t have one.

‘They agreed and the scammer provided them with my daughter’s Paypal details. The buyer of the iPhone then put the £250 into my daughter’s account, which my daughter presumed had been transferred by the father of the lady who was buying her laptop.

‘When the buyer of the iPhone didn’t receive their paid-for goods, they asked PayPal for a refund. Despite my daughter being the victim of a slick scam, PayPal insisted that she refund the money, as its terms state that customers must only hand over an item to the person who actually paid for it.

‘The scammer has her laptop and the police aren’t interested.’

Our advice on online selling scam

The police concluded that no crime had been committed because the member’s daughter had the money in her bank account – and it should be PayPal that pursues the matter. Sadly, however, because PayPal’s terms of sale were broken, little can be done to get the laptop back.

This is a really sophisticated scam. The only way to avoid it is to refuse payment from anyone other than the person buying the item – and to always post items to the address associated with the PayPal account. We’d recommend obtaining proof of postage too.

Have you ever been affected by a similar type of scam involving a PayPal transaction?


Yes, a slick scam. I am missing a point though, for I cannot see how PayPal is involved if the scammers were obtaining and passing on the daughter’s bank details ( sort code etc). Was it maybe the daughter’s PayPal address which was passed? Perhaps I am a nit picker, but to understand PayPal t&cs, that would be an essential skill.

I must admit I’m equally confused. How did the victim not check who had transferred the money? I admit it was a very slick scam but surely more careful checking would have revealed the problem? The Police said no crime had been committed, but surely fraudulent misrepresentation had occurred? Yes – the members’ daughter had the cash n her account, but the person who took the laptop in effect stole it, as it wasn’t her who’d provided the cash. A lot of unanswered questions…

I can’t see how any bank details have been passed on, simple fraud

Person A selling laptop
Person B says they want to buy and asks for paypal details
Person B advertises iPhone
Person C buys iPhone and pays money to Person A’s Paypal account
Person A hands over laptop to Person B
Person C complains iPhone not delivered

Person C gets refund as iPhone doesn’t exist, person B has laptop, person A has lost out.

Person C doesn’t know who they have paid other than Paypal address, Person A likewise

I am confused. Was the scammer the lady who wanted to buy the laptop in the first place? Or a third person?

This comment was removed at the request of the user

What I fail to understand is who did Jims daughter hand the laptop over to “in person” and was she given a false contact address and as Ian makes the point who transferred the money? Was this another case of banking confidentiality on the part of PayPal refusing to disclose the identity of the payer? I am not at all familiar with Paypals T&C’s so can someone enlighten?

Duncan, your comment was as complicated, if not more so than the subject on hand 🙂

Yes – so far as I can see this was a telephone trick. I can’t find any suggestion that PayPal had been hacked.

I am innocent of this form of trading so I don’t know how PayPal set out their terms and conditions, but they ought to make bold and highlight the rules about handing over articles for sale – (a) what should buyers present as verifiable proof of identity, and (b) what identity checks should sellers carry out on their doorsteps; and what is the procedure when (a) doesn’t satisfy (b)? And what rules do Gumtree have – why are PayPal calling all the shots?

This comment was removed at the request of the user

This comment was removed at the request of the user

No hacking was required in this case. The scammer already had the bank details for the fraudulent iPhone sale because she had offered to buy the laptop. There was no iPhone for sale – that was the ruse. What we don’t know is who collected the laptop.

I agree with Ian. This was a criminal act and the police should have pursued it back through Gumtree’s and PayPal’s records.

No hacking needed at all. Paypal was secure. Fraud was because you should never hand over goods in person for a Paypal transaction, send by post or accept cash on collection

I’ve just been transferring my energy to E.ON – thanks John W., you prompted this as they have a new deal that suits me. However, that has left my brain a little tired, and I, too, am confused by this tale. If money was transferred to Jim’s daughter’s bank account directly from the purchaser’s bank account, then I don’t see where PayPal come into this. Clearly I have missed something, but I wish these Intros were edited to make sure they were clear as to facts. Perhaps it could be modified to explain the true situation more clearly?

This comment was removed at the request of the user

Agreed, Malcolm. Tommy Cooper used to do pieces like that . . . well, not like that . . . his tricks made sense.

Duncan, PayPal was brought into the case by trickery. They were used by the woman who wanted to buy the laptop to give credence to the fake sale to an accomplice of a non-existent iPhone in order to get back the money she had paid for the laptop. The accomplice got the money back for the false iPhone sale and the scammer got the laptop for nothing. The laptop buyer and the accomplice could have been the same person. If the laptop was going to be collected then the seller could have insisted on cash instead of a money transfer, but we have a psychological tendency to trust someone who has agreed to pay us for something.

I have just clicked on “Paypals terms of sale” in the header, they are a joke! How anyone can understand or even plough through them is enough to put anyone off purchasing anything with their ‘protection’?
Self protection is the aim here I would guess!

This comment was removed at the request of the user

Good point Beryl. I wonder if a court would decide that PayPal’s terms were not legally binding under Pt 2 of the Consumer Rights Act 2015. Terms must be fair – not weighting the contract unfairly against the consumer. They must be transparent (if written) – enabling the consumer to make informed choices for instance using clear, jargon-free language consumers can understand [HMG Guidance]. I think even a High Court judge would stumble over this case but it’s time some of these labyrinthine terms and conditions were put to the test. PayPal can afford the best lawyers to tie the customer up in knots in order to deter any claims against the company and drag out any legal action until the claimants run out of money.

This comment was removed at the request of the user

I am not sure how your comments are related to my remarks on unfair terms and the CRA nor to the PayPal scam. And I do not accept that the UK has a “culture of secrecy and information denial”.

There is a Freedom of Information Act and an Information Commissioner.
Most official bodies are transparent and forthcoming.
Government writes in plain English.
Transparency International UK is described as an NGO as though that makes it in some way official but it is not a government organisation and is not acting on behalf of the UK government; it therefore has no powers of disclosure or examination of legally withheld information.
If £2.3 trillion of contracts were examined and only £14 million attracted comment as possibly open to corruption that sounds fairly creditable to me.
I have no knowledge of the matters you are referring to at Hackney Council but I
presume the council offered a justification, which has not been reported, for redacting text in documents in accordance with the law.
The council, or if necessary the court, could authorise disclosure to official investigators.
All local authorities are subject to independent external audit and the public has a right to inspect all relevant documents before the audit commences.

I note that Transparency International UK states publicly that “whilst public finance transparency is much better in the UK than many other places globally, poor quality, inaccessible and redacted data is preventing the public, journalists and investigators from scrutinising public spending”. I think that is a fair comment as there is always room for improvement.

Interesting though this might be to some, I don’t think we should deflect attention away from the appalling scams that seem to be associated with private buying and selling through the internet, and how American companies like e-Bay and PayPal [now separate but previously joined at the hip] have terms and conditions that make it difficult for buyers and sellers to receive fair treatment when their transactions go wrong, and do not have robust measures in place to prevent and act against dishonest trading.

………….and the police said no crime had been committed. Obviously much too complicated a case for them to. crack!

“The police concluded that no crime had been committed…”

As others have noted, the “buyer” fraudulently offered a non-existent iphone for sale and then conned its would-be buyer into funding the con, via a cunning play on the paypal T’s & C’s.

A complicated way of obtaining a 2nd hand laptop. Honest folk just buy them – or scrounge them from their friends.

I find this not only bizarre and the most awkward way of getting a free second hand laptop imaginable, but there are quite a few unanswered questions. I’ve taken the time to break the case down into its 3 associated components.

Part 1
Victim advertises Laptop on Gumtree
Female offers to buy it
Victim provides her bank details to Female
Paypal enters and claims victim has been paid for iPhone from Victim.

Part 2
Female had seen Gumtree ad for laptop
Female advertises non-existent iPhone on – what? Was that ebay?
Female claims her iPhone buyer was asked to pay money into Victim’s account (Crime)
Female provides Victim’s bank details (Crime)

So Paypal was clearly the method used to pay in Part 2, but why Paypal? This is the part that’s far from clear to me. When you use Paypal, as I do very rarely, you don’t provide your bank details at all. You only provide them in the initial instance to Paypal themselves. So there’s a clear disconnect between parts 1 and 2.

Part 3
iPhone buyer doesn’t get iPhone
iPhone buyer asks Paypal for refund
Police say no crime…
Paypal claim their hands are clean

There’s far too much which doesn’t add up to me. The needless transferring of bank details, the claimed gullibility of the victim, the Police’s apparent lack of interest, the sheer needless complexity of the entire arrangement.

I discussed this in detail with my other half, whose professional expertise as an expert witness in court has equipped her well to deal with behaviour like this and she arrived at a very rapid conclusion. In effect, the entire Victim tale sounds contrived and convoluted. Derek made the most obvious point (above) and it may well be that the Father (the member) had believed his poor daughter’s sorry tale without question. In effect it would be very interesting to hear exactly what had happened from alleged victim. One has to wonder if the Police actually interviewed the victim and, if so, how searching were their questions. On balance, then, it all sounds a tad fishy.

I think the error here is saying “bank details”. No bank details appear to be given, it’s purely Paypal account not bank info.

For balance I would add that Googling “Kreb – paypal hack” will reveal just how poor Paypal’s security really is, however. Kreb was hacked through a socially engineered approach, and didn’t need malware.

This comment was removed at the request of the user

Shame that great brain wasn’t applied to an honest purpose in life.

Thanks Joe. This still leaves unanswered questions, but let’s move on. What is Which?’s remedy for such confusion and opportunities for crime, given that warnings alone won’t change much?

If the laptop contained any automatic backups to cloud, the the daughter might use the password to reveal the thief’s identity. If the laptop is used to access the internet over the coming weeks, letters and photos etc from the new user may be revealed to the daughter.

All assuming that the laptop had not been securely cleaned by the daughter prior to its eventual theft.

And the issue of why the police concluded there’d been ‘no crime’ remains a mystery.

Maybe if they had put Noddy’s friend Mr Plod onto the case he may have come up with a better solution 🙂

He may have suggested that any potential scammer can deduce that the ordinary man in the street on his patrol can (a) read all of Paypals T&C’s and (b) understand them.

Oooops! A slight correction should read “DOES NOT read all of Paypals T&C’s and understands them.”

See how easy it is to put the wrong information on line. I suggest the problem with any online contribution – Convo, email, bank account details – is that it is all too easy to send it before we’ve properly reviewed it, and we then don’t look at it again as a routine. We need some way to review before we send like “read this carefully before you press submit” or “………….post comment”. It is just too instantaneous and the damage is then done. It took a while, if you remember, to get an edit facility – albeit for only 15 minutes – on Convo, thanks to @patrick.

We do need the edit time extending. Long posts need studying in a different setting, because one often misses summat that appears fine in the original composition.

The Member Community forum allows editing at any time, which is handy. The claimed downside is that the gist of a comment can be changed after replies are received.

In which case the ‘buyer’ (scammer) of the laptop was able to flaunt the PayPal T&C’s by arranging to collect the laptop “in person” from the seller (victim) who omitted to either obtain a contact address or was given a false address by the buyer (scammer). The seller (victim) must have felt confident inasmuchas it was OK to hand the laptop over as she had already received payment for it, which is key, because this is where the scammer gained a psychological advantage over the unsuspecting victim.

If the victim was ‘the friend’ whose account details were used to transfer the money for the non-existent iPhone then was it not possible to trace the person who paid the money into the victims account who thought she was paying for the fake advertised iPhone and explain the situation that they had both been the victims of cyber crime?

Ian your last paragraph could be explained quite simply. Do you remember the party game we used to play as children called Chinese Whispers where one person was given a written message and told to whisper the message into the ear of the person sitting next to them and telling them to pass it onto the next person until the last person sitting around the table came up with an entirely different message to the original? This is happening in real life all the time through the media and all other communication systems so everyone ultimately receives a distorted version of the original true story.

Beryl, your last paragraph reminds of a cartoon of the misinterpretation to build a swing. If you goggle images for ‘The project management tree swing’ you will see what I mean.

Brilliant stuff alfa! Is this why my addled old brain keeps telling me to type Alpha instead of alfa 🙂 ?????

I’m sure you can do beta, Beryl. 🙂

I have no iota Wavechange of whether you meant better or beater 🙂

This is an early version. There are colour ones.

Glad you liked it Beryl. I think there is only one of me on here whichever spelling you use, so don’t worry about it.

Malcolm’s version is the one I remember, but I see there are modernised versions around now.

I don’t think the crucial element of Paypal’s conditions is either difficult or unclear: “‘a key eligibility requirement of the Seller Protection Programme is that the seller must post the item to the address which appears on the transaction details page’ “. To me that’s basic common-sense. And here’s where anyone ought to have smelt a rat. If the alleged Female scammer was able to collect the laptop in person (presumably the only way it could be delivered other than by post as per Paypal’s Ts and Cs) the obvious question is why the money wasn’t delivered at the same time.

Now, I can accept some social engineering has gone on to convince the victim that there was a perfectly logical reason why the money first had to be transferred to her bank account instead of being personally handed over, clearly the most secure method, but I can’t understand how the victim didn’t pause for thought and ask her father whether this was an acceptable practice. It simply doesn’t make sense.

I’m also very curious as to the Police response. That doesn’t make sense, either.

I appreciate I’m like a dog with a bone, here, but I’m still disturbed that the Gloria Hunniford story ran with the tagline ‘Scammed’ in it, when nothing could have been further from the truth. Hunniford wasn’t scammed in any sense of the word. Her bank was defrauded, but she wasn’t.

I’ve trawled Google to see if anything remotely as complicated or even similar as this supposed scam exists. I can’t find anything, although scams on Gumtree seem to abound. The bottom line is for people to learn how to use Escrow – http : // transpact . com / . That solves a multitude of problems concerning buyers and sellers.

What we have here is a partial story – a hearsay item as Beryl suggests – and I think Which? really should either supply more details about this case or close it down.

Looks like Ms Hunniford has been listening, Ian – she has started a new Conversation for us on scams using banks.

Spot on Ian. When accepting payment by Paypal never allow collection in person, always cash on collection

Im confused too. Surely the scammer breached pay pal too, regardless of whether the innocent seller did, with intent to defraud because they advertised a non existent item with someone else’s PayPal details they were not authorized to use. I would have thought PayPal would be v interested in that. Even if they cannot directly get the money back as the iPhone buyer was a victim too.

There is an online fraud reporting arm of the police. I have used it before. The regular police don’t have much to do with it. But the internet fraud detection team which you can report to online are better.

The respective sites where the laptop and iPhone were advertised are not mentioned. Reporting to those may also help (may not too) as sometimes it is a repeat offender which fraud, eBay, PayPal and the likes become aware of.

I was lucky to get money back from a fraudulent ipad sale on eBay a few years ago and reported it to internet fraud. But it was nothing as complicated as this!

Both the laptop and the iPhone were advertised on Gumtree. As I said at the beginning, if the laptop was going to be collected there was no need for any money transfers and stories about not having a bank accoint. The buyer should have turned up with the cash – not doing that should have rung an alarm bell somewhere.

Sounds like a case for DCI Banks.

Studies show that just 7% of people read the full terms and conditions so why is this? I have my own opinions but ‘the guardian.com – Surveys Show That Just 7% of Britons Read the Full Terms and Conditions’ explains it better than I can.

The fairest way to part solve this particular case is for the two victims to agree to each share one half of the £250 illegally paid to Jims daughter for the laptop. I say “part solve” because this action still lets the scammers off the hook leaving them free to continue with their crimes until terms and conditions are simplified and shortened, excluding all complicated legal terminology and written in a way that everyone can understand and therefore will be more motivated to read them.

Anyone interested in reading up on the science behind the fear of cyber threats and paranoia, the following website may appeal to some of the more scientific minded commenters@ journal.frontiersin.org – Ever-Present Threats From Information Technology: the Cyber-Paranoia and Fear Scale.

Apparently “older people and women exhibited the greatest fear; despite young males being the most victimized”.

But we’re still missing vital facts, surely? We still don’t know

1. If bank details were exchanged
2. If Paypal was used
3. Why the victim accepted the absurd story that the scammer had to transfer the money to the victim’s account when she was clearly able to pick the laptop up
4. Why Paypal say it’s the victim’s fault if their system was used to perpetrate a fraud
5. Why the Police said no crime has been committed.

I don’t think anyone should be attempting to suggest solutions until we’re reasonably certain about what actually occurred. And that’s the one thing about which we can be sure: we don’t know what actually happened.

Perhaps Joe could take note of the confusion and find out all the facts? I don’t think his earlier comment clarifies the story.