- Joined
- Dec 24, 2020
- Messages
- 1,213
I recently had a situation happen where my PayPal account got hacked, and I want to share some information that might help you if something similar happens to your account. It’s actually pretty ingenious of the bad guys. I was lucky to spot it while it was happening, and also had a good idea that helped stop it quickly. In the end I lost nothing, but there was an incidental expense I’ll talk about at the end because looking back, it’s a bit funny.
I was at work when I got a rapid-fire series of e-mails from PayPal…literally one right after the other. The exact order may be slightly off, but the idea is the same. The first documented a password change. The second documented upgrading my account to a commercial account. The third, fourth, and fifth were documenting adding an e-mail address, credit card and then a new phone number. The sixth and seventh were documenting withdrawals from my account. Luckily I saw this as it was happening and knew my account had been hacked. This is where it gets interesting, and shows how it’s not as simple as it might seem.
I jumped on my laptop, opened up a browser and went to PayPal. Because they had changed my password, I was locked out. I went through the password recovery process and that let me into my account. As soon as I got in, I was hit with a page requiring me to finish filling in the account information for a commercial account. It was asking for the business name, address, business number, etc. I don’t have any of those things, and couldn’t get past that page to get to the help center to report a problem. Obviously, at this point I’m freaking out a bit because I’m stuck and it’s a delay tactic the bad guys put in place to slow you down.
To add some context, I don’t keep large balances in PayPal, and I use a specific bank account linked to it that I don’t maintain a large balance, on purpose. By coincidence, the week prior I moved $6K to that bank account for a planned purchase. I kept thinking they were going to wipe out the $6K and it was going to be a hassle to get it returned, if at all.
At that point I got on the phone to my bank and had them block PayPal. There were only two withdrawals for less than $150 before the block was put in place so it wasn’t too bad. What’s interesting is that the amount they chose was the exact same amount, to the penny, of the last charge to my account. They’re hoping you get the PayPal e-mail documenting the charge and ignore it because it’s the amount you most recently should have seen. They took the exact same amount two times within a minute.
I then had a bright idea and went to my phone because I have the PayPal app on it. I was able to log in to my PP account app with my new password, and the app didn’t have any of the account setup prompts, just the usual home page, so I was able to go to the help section and report that my account had been hacked. Within a few minutes I got an e-mail and text from PayPal saying my account was locked and gave me a way to contact them to work through the recovery process.
The PayPal support person was actually very helpful and quickly had my account reverted to a personal account, and confirmed that I had changed the password, etc. I will say that previously I didn’t have two-factor authentication enabled (getting a code via e-mail or text) and I did enable that when this happened. It only took a few days and PayPal refunded my money and all it really cost me was a $20 stop payment fee to my bank.
So, use a specific bank account with limited funds, enable two-factor authentication, consider having the App on a phone or tablet, and don’t ignore charge notification e-mails thinking they are duplicates.
I said there were some incidental expenses…but I managed to get an incredibly thorough physical exam out of it!
After things settled down I started to note some chest pain on the left side, moving from my armpit across my chest. This followed getting a work physical a few weeks prior and being told my EKG was abnormal and to have a cardiologist review it to be safe. The day prior I had actually scheduled an appointment for later that week. Being a middle-aged man the two things were more than I could ignore so I stopped into our nurse’s office. She said my BP was pretty elevated (obviously!) and recommended going to the ER. I went to the ER and within minutes they did an EKG which was normal. I had a copy of my work EKG and the doctor there was concerned that the two were different and recommended I be admitted to have a cardiology workup. His words were “Men your age don’t do very well when they have a heart attack and a cardiologist really needs to look at this.”. So I spent 18 hours in the hospital, had all the blood work done, x-rays, hooked up to a heart monitor over night followed by a nuclear stress test in the morning. While I was on the treadmill doing the stress test the woman running the machine and the attending nurse were watching the machine, looking at me, asking me questions and after looking at each other a few times both said “Yeah, you don’t have a heart problem” which was reassuring.
After all of the tests were done the cardiologist came to my room. He looked at the test results and said “Why are you here?” I told him what happened, and showed him my work EKG. He got mad and said “They said this was abnormal? This is a NORMAL EKG! That little blip the computer flagged is an artifact that means a lead shifted a bit…it could move on a hair and cause that. Where was this taken?”. I told him and he just shook his head. He asked about the pain, which was almost gone, but there was a bit of an ache in my left side armpit. The doctor asked if I had done anything to strain that side when I remembered what happened. The night before the event I was moving a 1,600lb piece of machinery on rollers and knelt down and pushed from an awkward angle with my left arm. I told the doctor that, and showed him how I had pushed…immediately I felt a twinge in the same place. It was literally nothing more than a muscle strain. I must have gotten so tense during the account hack that I tightened up, and that caused me to aggravate the strain enough to notice it a bit. Copays wound up being like $1,200, but I have a clean bill of health and the doctor said it was actually a lot more comprehensive than I would normally get in a routine physical, so all isn’t lost.
For years I’ve joked with my wife “You’re going to give me a heart attack” when she fakes like she’s nagging me (which she really doesn’t do). Now I say that and she says “The doctor said you’re not going to have a heart attack” so I’m going to have to think of something new!
I was at work when I got a rapid-fire series of e-mails from PayPal…literally one right after the other. The exact order may be slightly off, but the idea is the same. The first documented a password change. The second documented upgrading my account to a commercial account. The third, fourth, and fifth were documenting adding an e-mail address, credit card and then a new phone number. The sixth and seventh were documenting withdrawals from my account. Luckily I saw this as it was happening and knew my account had been hacked. This is where it gets interesting, and shows how it’s not as simple as it might seem.
I jumped on my laptop, opened up a browser and went to PayPal. Because they had changed my password, I was locked out. I went through the password recovery process and that let me into my account. As soon as I got in, I was hit with a page requiring me to finish filling in the account information for a commercial account. It was asking for the business name, address, business number, etc. I don’t have any of those things, and couldn’t get past that page to get to the help center to report a problem. Obviously, at this point I’m freaking out a bit because I’m stuck and it’s a delay tactic the bad guys put in place to slow you down.
To add some context, I don’t keep large balances in PayPal, and I use a specific bank account linked to it that I don’t maintain a large balance, on purpose. By coincidence, the week prior I moved $6K to that bank account for a planned purchase. I kept thinking they were going to wipe out the $6K and it was going to be a hassle to get it returned, if at all.
At that point I got on the phone to my bank and had them block PayPal. There were only two withdrawals for less than $150 before the block was put in place so it wasn’t too bad. What’s interesting is that the amount they chose was the exact same amount, to the penny, of the last charge to my account. They’re hoping you get the PayPal e-mail documenting the charge and ignore it because it’s the amount you most recently should have seen. They took the exact same amount two times within a minute.
I then had a bright idea and went to my phone because I have the PayPal app on it. I was able to log in to my PP account app with my new password, and the app didn’t have any of the account setup prompts, just the usual home page, so I was able to go to the help section and report that my account had been hacked. Within a few minutes I got an e-mail and text from PayPal saying my account was locked and gave me a way to contact them to work through the recovery process.
The PayPal support person was actually very helpful and quickly had my account reverted to a personal account, and confirmed that I had changed the password, etc. I will say that previously I didn’t have two-factor authentication enabled (getting a code via e-mail or text) and I did enable that when this happened. It only took a few days and PayPal refunded my money and all it really cost me was a $20 stop payment fee to my bank.
So, use a specific bank account with limited funds, enable two-factor authentication, consider having the App on a phone or tablet, and don’t ignore charge notification e-mails thinking they are duplicates.
I said there were some incidental expenses…but I managed to get an incredibly thorough physical exam out of it!
After things settled down I started to note some chest pain on the left side, moving from my armpit across my chest. This followed getting a work physical a few weeks prior and being told my EKG was abnormal and to have a cardiologist review it to be safe. The day prior I had actually scheduled an appointment for later that week. Being a middle-aged man the two things were more than I could ignore so I stopped into our nurse’s office. She said my BP was pretty elevated (obviously!) and recommended going to the ER. I went to the ER and within minutes they did an EKG which was normal. I had a copy of my work EKG and the doctor there was concerned that the two were different and recommended I be admitted to have a cardiology workup. His words were “Men your age don’t do very well when they have a heart attack and a cardiologist really needs to look at this.”. So I spent 18 hours in the hospital, had all the blood work done, x-rays, hooked up to a heart monitor over night followed by a nuclear stress test in the morning. While I was on the treadmill doing the stress test the woman running the machine and the attending nurse were watching the machine, looking at me, asking me questions and after looking at each other a few times both said “Yeah, you don’t have a heart problem” which was reassuring.
After all of the tests were done the cardiologist came to my room. He looked at the test results and said “Why are you here?” I told him what happened, and showed him my work EKG. He got mad and said “They said this was abnormal? This is a NORMAL EKG! That little blip the computer flagged is an artifact that means a lead shifted a bit…it could move on a hair and cause that. Where was this taken?”. I told him and he just shook his head. He asked about the pain, which was almost gone, but there was a bit of an ache in my left side armpit. The doctor asked if I had done anything to strain that side when I remembered what happened. The night before the event I was moving a 1,600lb piece of machinery on rollers and knelt down and pushed from an awkward angle with my left arm. I told the doctor that, and showed him how I had pushed…immediately I felt a twinge in the same place. It was literally nothing more than a muscle strain. I must have gotten so tense during the account hack that I tightened up, and that caused me to aggravate the strain enough to notice it a bit. Copays wound up being like $1,200, but I have a clean bill of health and the doctor said it was actually a lot more comprehensive than I would normally get in a routine physical, so all isn’t lost.
For years I’ve joked with my wife “You’re going to give me a heart attack” when she fakes like she’s nagging me (which she really doesn’t do). Now I say that and she says “The doctor said you’re not going to have a heart attack” so I’m going to have to think of something new!
