[German]The German consumer advice center of North Rhine-Westphalia warns of a nasty scam in which criminals abuse PayPal's ability to pay via a guest account. Anyone with a bank account can fall victim to this scam – regardless of whether they use PayPal or not.
Advertising
The scam with the PayPal guest account
There is a possibility of using a guest account to pay via PayPal. To do this, the customer selects the Guest account option in the payment method via PayPal in the online store. The international banking account number (IBAN) of their own bank account must then be entered so that PayPal can then debit the amount from the specified current account by direct debit.
Fraudsters also take advantage of this, but then use other people's IBANs for the guest account and order goods with delivery to a Packstation. If the account holder does not notice these unauthorized debits, the fraudster pays with other people's accounts. If the victim has the direct debit reversed, the trouble begins. The online store that has been cheated out of its money will try to collect this amount.
Victims have been discussing this scam on PayPal for over a year. The German post Gastkonto Betrug (Guest account scam) dates from summer 2023 and someone writes that they "received an email from PayPal a few days ago" (it was an old email address). An unknown person apparently orders something via the name of the person concerned using a guest account. He suspects that his bank details and email address were leaked from a store as a result of data theft and are now being used without authorization for third-party purchases via a PayPal guest account. The injured party filed a complaint with the police and dealt with PayPal until they closed the case.
A second case from Germany is discussed here in summer 2024. The aggrieved party is unable to initiate dispute resolution as the transactions do not go through his PayPal account. The victim states that the IBAN is not checked by PayPal and whether an assigned email address also matches a PayPal account. In this thread, merchants who suffer massively from fraudulent orders with payment via PayPal guest account also report.
German site Finanztipp states in its article here that a statement by PayPal that "the data provided is also checked for guest payments" has now been taken offline. According to PayPal, the name, address and date of birth are to be compared with the data stored at Schufa and Ebay, writes Finanztipp. However, this check is smoke and mirrors if the specified account has a credit rating.
Advertising
Finanztipp writes that, according to media reports, complaints about the PayPal guest account are increasing. Some victims have even lost money several times and are now receiving letters from debt collection agencies.
NRW consumer advice center warns of the scam
In the meantime, even the North Rhine-Westphalia consumer advice center has issued a warning about the scam. In the article Wie Kriminelle das "Bezahlen ohne PayPal-Konto" missbrauchen (How criminals abuse "Paying without a PayPal account"), the consumer advice center takes a closer look at the scam described above.
No protection but a payment limit
The bad news is that there is no protection against this scam – the criminals only need a valid IBAN and a PayPal account of some kind. Whether the IBAN is entered there as a payment source is irrelevant. The scam can therefore also affect people who do not have a PayPal account.
Not publishing the IBAN is not a solution either – companies and associations must publish these IBANs for customers and members in order to enable payments. In addition, the text above mentions the suspicion of those affected that their IBAN and email address were leaked from online stores.
The information from Finanztipp is interesting: for security reasons, PayPal has at least one restriction when paying via a guest account: Purchases can only be made three times per IBAN via this payment method and a total amount of €1,500 applies to all payments. In the worst case, fraudsters can abuse accounts up to this upper limit.
The only option for victims is to always check their account statements, dispute unauthorized claims, arrange for the direct debit to be reversed via the bank and file a complaint with the police. Trouble included, of course.
Advertising
