Police, CSA warn of compromised PayPal accounts used by cyber criminals for transactions

SINGAPORE - Online criminals are using compromised PayPal accounts for transactions, with 27 cases reported to the police from Jan 1 to Feb 9.

In these cases, victims would receive automated notifications from PayPal, an online payment wallet, either in the form of e-mail or from the digital payment app’s inbox messages, informing them of various activities, the police and the Cyber Security Agency of Singapore (CSA) said in an advisory on Feb 16.

These activities include changes to the account’s profile and receipts for transactions on their account.

Upon checking their PayPal accounts, some victims found that funds from unknown sources were deposited, or that funds were being transferred to unfamiliar bank accounts added by the criminals.

Later, the criminals would then request for a chargeback – which is a return of money to a payer of a transaction, especially a credit card transaction.

The victims would then receive an automated notification followed by funds being recovered from their accounts, resulting in a shortage of funds.

The police and the CSA advised users not to use weak passwords, visit phishing websites that ask for one’s online login details and are infected with malware designed to steal victims’ credentials. They should also not download unverified apps sent via various platforms.

In addition, users are also advised to not reuse the same password for multiple online accounts as it can compromise one’s online accounts and passwords.

The police and CSA advised the public to add security features to their PayPal account by enabling passkeys and the two-step verification process.

Passkeys are a secure login standard allowing one to log in to PayPal using the same biometrics or device password one uses to unlock its device.

This can be done by logging in to PayPal from one’s mobile device using either Safari or Chrome browsers. Upon login, one will be presented with the option to create a passkey.

The two-step verification process can also be enabled through PayPal’s website as an extra precaution.

Secondly, always use a strong password for one’s PayPal account. It should contain at least 12 characters with uppercase and lowercase letters, numbers or symbols.

Even if one’s account is inactive, the user should still change the passwords from time to time as a best practice.

In addition, remove any devices that one no longer uses or does not recognise in the PayPal account’s “trusted device” list by reviewing and turn off “auto-login” for the account.

One should also turn on and monitor automated transaction notifications in the PayPal account.

Be wary of unusual requests received that ask for one’s personal information, banking details and one-time passwords, the police and the CSA added.

Lastly, they advised users to report any fraudulent transactions to PayPal at

spoof@paypal.com

or their bank immediately.

For further information on scams or to report fraudulent activities, visit www.scamalert.sg or call the Anti-Scam Helpline on 1800-722-6688.