Is your PayPal being used by cybercriminals?

Cybercriminals used compromised PayPal accounts for transactions in 27 cases reported to the police from Jan 1 to Feb 9, said the police and the Cyber Security Agency of Singapore (CSA) in a joint advisory on Feb 16.

The victims would receive automated notifications from PayPal either in the form of emails or PayPal’s inbox messages, informing them of various activities such as profile changes and receipts for transactions on their account.

Upon checking their PayPal accounts, some victims discovered that funds from unknown sources were deposited, or that funds were being transferred to unfamiliar bank accounts added by the cybercriminals.

Subsequently, the cybercriminals would initiate a chargeback request. The victims would then receive an automated notification, and funds were recovered from their accounts, resulting in a deficit balance.

The compromise of online credentials and passwords could be due to several reasons which include:

• Using weak passwords.
• Visiting phishing websites that ask for your online credentials and/or passwords, and downloading unverified apps sent via emails, SMSes, text messages or messages from social media platforms.
• Visiting websites or downloading files that are infected with malware designed to steal victims’ credentials.
• Re-using the same password for multiple online accounts (When online services or platforms are involved in data breach incidents, it may cause your reused online credentials and passwords to be compromised).

The safe use of online payment platforms must be accompanied by strong cyber hygiene practices by the users to ensure that their online credentials and passwords are secured. Members of the public are advised to adopt the following precautionary measures and cyber hygiene tips:

ADD security features to your PayPal account by enabling passkeys and two-step verification (2FA). Passkeys are a secure login standard allowing you to log in to PayPal using the same biometrics or device password you use to unlock your device. This can be done by logging in to PayPal from your mobile device using either Safari or Chrome browsers. Upon login, you will be presented with the option to create a passkey. Follow the steps on the screen. 2FA can also be enabled through PayPal’s website as an extra precaution. Do note that you can do so by logging into your PayPal account through the web browser and not through the PayPal App. Go to ‘Settings’ → ‘Security’ → ‘Set Up’ → select ‘Use an authenticator app’ → click ‘Set it Up’ and following the steps on the screen.

Enable transaction alerts and review all transactions regularly for any suspicious activities. You are also strongly encouraged to install anti-virus apps on your devices that can detect malware and block access to phishing links.

CSA has also put together a list of recommended apps available at www.csa.gov.sg/Tips-Resource/Resources/recommended-security-apps-list.

CHECK that you are using a strong password for your PayPal account. A strong password should consist of at least 12 characters with uppercase and lowercase letters, numbers or symbols. Use different passwords for each of your online accounts. Even if your PayPal account is inactive, you should still change your passwords from time to time as a best practice.

Remove any devices that you no longer use or do not recognise in your PayPal account’s “trusted device” list by reviewing and turn off “auto-login” for your PayPal account. Turn on and monitor automated transaction notifications in your PayPal account. Be wary of unusual requests received that ask for your personal information, banking details and OTPs. You should not share your personal information with anyone. Do not click on any suspicious links, download unknown attachments or apps received via emails, SMSes, text messages or messages through social media platforms. They may contain phishing links or malicious programmes / apps used to steal data from your devices;

TELL authorities, family, and friends about scams. Report any fraudulent transactions to PayPal at spoof@paypal.com or your bank immediately.

For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688.