To many users, PayPal, the world's most well-known online payment system, seems like an entirely secure method of sending and receiving funds. The company offers limited guarantees to both buyers and sellers, and also gives out security keys upon request.
But according to Robert Siciliano, McAfee consultant and identity theft expert, there are still ways you can get ripped off using PayPal.
To ensure you don’t fall victim to a scam involving PayPal, Siciliano offers these words of advice:
Don't link your PayPal account to your bank account or debit card account.
"If your PayPal account is compromised, it’s money taken directly out of your bank account. But if you link your PayPal account to your credit card and it’s compromised, then you have 60 days to refute those charges with your credit card company," Siciliano said.
However, by federal law (Regulation E) you only have two days to refute a fraudulent charge with your bank.
[UPDATE: A spokeswoman acting as PayPal's representative has told SecurityNewsDaily that PayPal's protection from unauthorized transactions gives the user 60 days to dispute the charges, no matter what the funding source.]
Don’t click on links in the body of emails from PayPal.
Those emails might not really be from PayPal.
"Rather, they are phishing e-mails from scammers designed to get you to enter your credentials," Siciliano said. "Instead, manually type in the PayPal address into your browser, log in to your account and see if there are any communications for you from PayPal."
Keep your PC security up-to-date.
Make sure you have installed the latest critical security patches to your operating system, as well as the latest browser patches.
"If your PC is compromised with spyware or malicious software when you’re using a financial site like PayPal, then the cybercriminal has access to your computer and can access your user names and passwords," Siciliano said.
Never log in to PayPal from a public PC.
A public PC is relatively unsecure.
"It is only as secure as the person who logged in before you," Siciliano said.
Someone could easily have installed spyware or malicious software on that computer that will log all your keystrokes.
Log in to PayPal only from a trusted Internet connection.
Your work and home PCs qualify, but a wired connection is more secure than a wireless connection.
"Don’t log in to PayPal from an Internet cafe, even if you’re using your own laptop, because that wireless is wide open," Siciliano said. "There are plenty of 'sniffing' technologies that may be able to sniff out (track) what you’re doing on your computer."
Use only verified merchants, and get verified yourself. Just about anyone with an email address can open a PayPal account, but PayPal will "verify" users and merchants who provide additional information.
"Although it might not guarantee that the person you're dealing with is legitimate, verification adds a level of protection and legitimacy," Siciliano said.
You can get verified by linking PayPal to a bank account (or, if you're following Siciliano's advice against doing that, you can get verified by obtaining a PayPal credit card).
Maintain good records for all Internet commerce.
"It's a good idea to download them and print them out so you have backups of all of your records for purchases made and products bought and sold," Siciliano said.
So if there are any issues with a transaction, you have a record of it.
Use a unique username and password for PayPal. Your PayPal login credentials should be different from your user names and passwords for your eBay, Facebook and online banking accounts.
"You should have a different user name and password for every account," Siciliano said. "So if one account is compromised, the cybercriminal won't have access to all your accounts."
Each password should consist of uppercase and lowercase letters, and should include numbers as well as characters like an exclamation point or a hash sign (if allowed).
Treat your PayPal account like you treat your online banking account. You need to ensure that you have authorized any transactions, large or small.
"Typically, cyberthieves will start draining your account using a series of small withdrawals, hoping you won't notice," Siciliano said. "So you need to refute those charges as soon as possible."