There’s a type of scam that has been going “on and off” since early 2016, and it looks like it’s still working well for malicious actors. According to the most recent reports, every single day, 15 to 30 hackers are engaging in this particular scam, making $2,600 each on a daily basis. This means that people are losing approximately $1.6 million per month or $19 million per year. For the attack to work, the actor will have to hack a Facebook account. So this scam is based on exploiting gaps on both the payment and the social media platform.
First, the hacker takes over a Facebook account and sends a message to ask for a favor from a friend. They claim to have trouble withdrawing money from their PayPal account, so they want to send money to their friend and ask them to send that amount to their bank account. Once the victim does that, the hacker reverses the initial transaction, so he gets back the amount on PayPal and also gets to keep what the victim sent to the bank. The money almost always ends up on a British bank because they are notoriously indifferent about how their clients use their accounts.
British banks allow the opening of accounts online, and by requesting minimal identification information, while closing that same account is as easy. The banks don’t reimburse defrauded victims, don’t have any transaction approval checks in place, don’t share information about who is the holder of the account, and don’t care about tracking the money as it moves through the system. Usually, the hackers behind these scams are from the UK, Russia, or the United States, while for many of them, scamming people on Facebook is their full-time job.
Obviously, there’s a whole set of security holes on both PayPal and Facebook that allow this type of scam to go on even four years after it first appeared. That said, users are advised to be very vigilant, even when they’re chatting with a friend on Facebook. Set up a two-factor authentication step on both platforms, use the Google Authenticator for your Facebook account, and link a virtual card with the PayPal account for better control. If a friend asks you to send you money on PayPal and transfer it to their bank account, propose to meet for a beer and give it as cash in hand. This alone should nullify the hacker’s attempt to trick you.