ADVERTISEMENT

Simple loopholes in Facebook and PayPal helping victims to lose millions in scam

female using a laptop and smartphone
Bernard Meyer
Bernard Meyer Senior Researcher
Apr 24, 2020 Updated: 8 May 2025 9 min read

The scam that keeps on giving

  1. People don’t understand that PayPal has a chargeback feature, and that just because you have money in your PayPal account now, that doesn’t mean that it’ll stay there.
  2. People underestimate the possibility that their friends’ accounts can get hacked, and the people that they’re talking to on Facebook may not be who they say they are.
Cybernews pro tip

Increase your online security and privacy by sending your data through an encrypted tunnel.

Protect your data now

The mechanics of the scam

Two-victim scam scheme
  1. The hacker will first get into the compromised Facebook account and ask 5-6 of “his” friends to see who is willing to send them money. The hacker asks this person to receive money in their PayPal account, then send the same amount to the hacker’s bank account. (The most likely reason given by the hacker is that their PayPal account is having some problems and they can’t withdraw the money.)
  2. The hacker then sends the target money from his/her PayPal account.
  3. Once the target sees the funds have entered their PayPal account, they’ll send the money via bank transfer to the hacker’s bank account.
  4. After a day or two, the hacker does a chargeback on PayPal for money s/he sent to the target via PayPal.
  5. The money is eventually removed from the target’s PayPal, and that person has lost out on the amount s/he transferred to the hacker.
  6. After sending the money to a different account or converting it to cryptocurrency, the hacker closes the bank “drop”.
  1. Hacker sends the target $400 via PayPal. The target now has a $400 surplus.
  2. The target sends $400 via bank transfer to the hacker’s bank account. The target now has zero balance (they didn’t lose or gain any money).
  3. The hacker does a chargeback, and the money is removed from the target’s PayPal account.
  4. The target has now lost $400.
Three-victim scam scheme
  1. Stolen Facebook credentials
  2. Stolen PayPal credentials, or their own
  3. A disposable bank account, known as a bank “drop”

How Facebook’s simple loophole is helping scammers

first step of facebook table to confirm your identity
table asking to verify your Facebook account
Message that my Facebook account is temporarily locked
Facebook chat
ADVERTISEMENT

PayPal’s very simple security bypasses (plural)

Paypal quick security check table
code underlining token value with all the permissions to access the account

The too-convenient British bank drops

  • They don’t reimburse defrauded victims, even when these victims are clearly not to blame
  • They have lax account opening processes, making it easier to open disposable bank drops
  • These banks don’t check the name of the payee against the account number (if so, the victim would get notified immediately that the account doesn’t belong to their real friend)
  • They don’t share information across banks, making it easier for hackers to continuously open bank accounts with the same information
  • They also don’t have a good process for tracing money as it moves through the system (which would make it easier to track down defrauded funds)

Who are these scammers anyways?

Protect yourself now – because no one else will

#1 Add Google Authenticator to your Facebook account

#3 Bank smarter

Protect yourself online with our hand-picked digital privacy tools

ADVERTISEMENT