I have my lived experience, which take it for the anecdata it is:
A few months ago, I checked an infrequently-used email address and noticed some unusual notifications about a "new user added to your PayPal account." I hadn't even remembered this was the email associated with my PayPal account - so after managing to reset my password and log back in, I managed to figure out that someone must have skimmed or brute-forced my PayPal password, set up a second account, attached their bank account to that new account, and begun draining my own bank account. By this point they'd gotten around $5,000 out of it.
Some features I noticed on the PayPal side that seemed obviously bad: PayPal sends no indication via email of these literal bank transfers, and there is a "feature" on the PayPal site where you can hide (but not, thankfully, wholesale delete) previously concluded transactions. The criminals had just hidden every one of the transfers. They also consistently used something like $499.99 as the transfer value, presumably because that amount prevents some automated level of scrutiny from kicking in.
Additional bad points: the interface for registering a complaint is in a highly counterintuitive workflow through the PayPal site, and seems almost entirely set up for people to register "normal" complaints, not fraudulent transactions.
The good side, however, was that I managed to find the right place, opened a case, and got the thing resolved and the money refunded to my bank account within 24 hours. So, excellent job, fraud resolution team at PayPal!
To tie back to the theme of this thread: my assumption is this fraud will become vastly easier after PayPal breaks (further?) with FDIC-insured fiat currency and people can just turn hacked bank accounts into BTC.
I have my lived experience, which take it for the anecdata it is:
A few months ago, I checked an infrequently-used email address and noticed some unusual notifications about a "new user added to your PayPal account." I hadn't even remembered this was the email associated with my PayPal account - so after managing to reset my password and log back in, I managed to figure out that someone must have skimmed or brute-forced my PayPal password, set up a second account, attached their bank account to that new account, and begun draining my own bank account. By this point they'd gotten around $5,000 out of it.
Some features I noticed on the PayPal side that seemed obviously bad: PayPal sends no indication via email of these literal bank transfers, and there is a "feature" on the PayPal site where you can hide (but not, thankfully, wholesale delete) previously concluded transactions. The criminals had just hidden every one of the transfers. They also consistently used something like $499.99 as the transfer value, presumably because that amount prevents some automated level of scrutiny from kicking in.
Additional bad points: the interface for registering a complaint is in a highly counterintuitive workflow through the PayPal site, and seems almost entirely set up for people to register "normal" complaints, not fraudulent transactions.
The good side, however, was that I managed to find the right place, opened a case, and got the thing resolved and the money refunded to my bank account within 24 hours. So, excellent job, fraud resolution team at PayPal!
To tie back to the theme of this thread: my assumption is this fraud will become vastly easier after PayPal breaks (further?) with FDIC-insured fiat currency and people can just turn hacked bank accounts into BTC.