When George Hart got an email saying there’d been fraudulent activity on his PayPal account, the 76-year-old knew better than to take the message’s word for it.
The person he spoke with urged Hart to install an app called TeamViewer, he said. When he started seeing new windows flicker across his screen when he wasn’t even touching the mouse, Hart bent down under his desk and pulled the computer’s plug.
It might have saved him from a more severe scam. The fraudster had used a PayPal money request to trick Hart into thinking a charge had been posted to his account, then pressured him into installing an app that grants remote access to a computer. Hart used anti-virus software to reset his computer and purge it of the malware the scammers installed, he said.
Payment apps let you send money with the tap of a button. Unfortunately, that makes them fertile ground for scammers. This week, Help Desk heard from two readers who had run-ins with fraudsters on PayPal. Hart ended the interaction before the scammers could compromise any more of his accounts. Another person, 65-year-old Cynthia Parker from Columbia, Mo., lost around $1,400 after speaking with a scammer posing as a PayPal customer service employee.
PayPal ended up refunding Parker after being contacted by The Washington Post. But often once you send money on a payment app, it’s gone.
“We have strong controls in place to manage these well-known phishing scams and mitigate these types of incidents,” PayPal said. “Nonetheless, we encourage customers to always be vigilant online and to contact customer service directly if they suspect they are a target of a scam.”
Here’s what to look for if you get an unexpected receipt or invoice or find yourself on the phone with a sketchy “customer service rep.”
Get customer service numbers from official websites
Treat every phone number like a potential scam risk. Even if the number came from an official-looking email or text, verify it by checking it against the contact number listed on the company’s website before you call.
Type in phone numbers rather than clicking links
Online links can whisk you anywhere a bad actor wants you to go. Rather than rely on “call” buttons, find official customer service numbers and type them into your phone manually, advised Jérôme Segura, senior director of threat intelligence at cybersecurity company Malwarebytes. Double check that you typed it in correctly before you connect, since many scammers set up phone numbers one digit off from common help lines and then rely on “fat fingering,” or lazy typing, to bring in victims, Segura said.
Beware of sponsored search results
Just because a webpage or phone number turns up at the top of search engine results, that doesn’t mean it’s legitimate. We’ve reported on scams popping up in top results on Google, Bing and DuckDuckGo.
“Anybody can purchase an ad and pretend to be a given company,” Segura said.
That’s how Parker believes she ended up on the line with someone who ultimately compromised her PayPal account and stole money, she said. She typed “eBay customer service” into Google and called the first number that came up. When she told the person on the line that she needed to cancel a PayPal payment to an eBay vendor, they offered to connect her with PayPal support if she’d stay on the line. (Remember: Companies shouldn’t be able to tap into another business’s phone or payment systems.)
Google has said it’s combating ad fraud by beefing up its ad verification and scam detection.
Never download a remote-access tool
Unless you’re working with a trusted colleague or IT professional, never install new apps or programs while on the phone with a purported customer support agent.
Both Hart and Parker were told they needed to download apps that granted remote access to their computers, they said. Apps like AnyDesk and TeamViewer are legitimate tools for support professionals, Segura said, but there are very few scenarios where a customer service agent legitimately needs remote access to your computer. At worst, these apps could help hackers break into bank accounts or steal other sensitive information. That’s why this particular scam is helping fraudsters steal greater sums faster, he added.
If someone asks you to download an app or online tool, tell them you need to hang up and do some research, Segura said. Search the name of the app and make sure it doesn’t grant remote access and isn’t associated with scams. If the agent seems pushy or tries to keep you on the phone, that’s cause for suspicion.
Remember that vendors can message you
On apps such as PayPal or Cash App, strangers can send you money requests. Keep in mind that, like in Hart’s case, a money request doesn’t mean a transaction is pending — it can only go through if you approve it.
Be wary of any email or message claiming you need to cancel a transaction, renew a subscription or inspect potential fraud. It’s easy for bad actors to steal brand logos and other visual elements that make a fake email look real, Segura said. Never call a customer support number that comes in an email. Take a close look at the sender’s email address, and if it looks real, contact the company directly by calling the number on its website.