6

For the past several days, I have received several monetary donations through PayPal for exactly 1 US dollar. Several hours after the donation is received, I also receive a notification from PayPal that they are "investigating a payment reversal," as "an unauthorized account activity claim was recently filed" against the transaction.

I've got to believe this is a scammer at work, but I can't figure out what attack vector they're trying. All of the emails I've received are legitimate; I've clicked no links in any of the emails, and manually logging into PayPal via their https address does indeed show these transactions in my history.

Is this someone testing out credit card numbers they've stolen? Are they probing my account somehow to see if there's money available to be had?

My PayPal account is not tied to my banking account, but I do have a credit card associated with it. I've seen no strange outgoing transactions; it's always a single dollar coming in, then being reversed.

Has anyone else seen this? What can / should I do?

Update 1: Some additional information in case anyone wonders about it.

  1. I changed my password this morning, just in case.
  2. My website has a PayPal donate button on it, which is possibly where whoever is doing this got my information.

Update 2: I did indeed contact PayPal after receiving these emails, and they agreed that things looked fishy. They recommended changing my password (which, as I mentioned before, I did), and they immediately closed out the questionable transactions. Since I took that action, however, I've gotten 2 or 3 more of these "donations" (though I have yet to see them be disputed). I should note that the person who submits the donation is ultimately the one who pays the PayPal fee (so, I end up with less than $1 for a $1 donation). This is a very strange situation to say the least...

Ivan
  • 6,288
  • 3
  • 18
  • 22
Jonah Bishop
  • 163
  • 6
  • IIRC you have to pay a fee to paypal when receiving funds through their system. A while ago there was a rather big scale public attempt to waste some money of a right wing party in germany, by donating lots of tiny amounts of cash to them via Paypal. The party had to pay the aforementioned fee which outweighed the received donation. Not sure if this works anymore though. I could imagine this being a scenario. Did Paypal charge you anything for receiving these funds? – Tom K. Jul 28 '17 at 13:21
  • It is possible some blackmail scamming scheme detected by Paypal. – mootmoot Jul 28 '17 at 13:21
  • 1
    Did you reach out to Paypal support after receiving their mails? – Tom K. Jul 28 '17 at 13:24
  • I did indeed reach out. See my second update above. – Jonah Bishop Aug 01 '17 at 17:16

2 Answers2

5

Is this someone testing out credit card numbers they've stolen?

Yep. You're being used as a canary to test stolen credit cards. They found your website at random and see you're willing to accept payments. They send you a token payment of $1 to see if the card works. (They used to use iTunes to do this, where they'd buy a $1 song.)

When they see the card works, they buy as many disposable Visa gift cards as they can. This racks up a few hundred to a few thousand dollars on the card. (They used to buy goods directly but it's easier for merchants to stop shipment of a flatscreen TV than it is a stack of gift cards.)

The cardholder or the FI notices the charges and starts reversing everything, but the money has already been laundered in the form of gift cards.

Thus, the scammer successfully manages to convert stolen credit into a fistful of untraceable, disposable gift cards. These can either be used for personal gain or re-sold for a slightly lesser amount to yield actual cash.

Ivan
  • 6,288
  • 3
  • 18
  • 22
  • Is there anything I can do on my end to prevent this kind of behavior? – Jonah Bishop Aug 02 '17 at 02:49
  • Try raising the minimum donation you'll accept to $3 or so. They always seem to want to shoot for the absolute lowest dollar amount they can get away with, which is generally $1. Aside from that, not much you can do that wouldn't make donating to you a more cumbersome process (which will harm the chances of legitimate visitors wanting to bother doing so). – Ivan Aug 02 '17 at 03:10
  • Thanks. I've implemented a new donation system whereby users can either choose $5 or $10. We'll see how that works going forward. – Jonah Bishop Aug 02 '17 at 11:55
  • Even after adjusting my site to enforce a minimum $5 donation, I still get bogus donations that are ultimately contested. I'm pulling my donation system down for now. :-( – Jonah Bishop Aug 05 '17 at 16:17
-2

Are you able to see whether there is a pattern of the attack apart from the amount? e.g time of day, geolocation, etc? I am thinking of Geoblock of the sort. Another method that I am thinking is to put a series of captcha like security before revealing the donate button. my understanding is that this should slow down the attackers.

I am trying to set up a blog too and is asking a similiar question on What would be the most efficient way to process payments or donations on a not for profit website?

Thank you and all the best.

scriptbaby
  • 17
  • 1
  • 4