How does this Paypal guest checkout scam work?

Question

Yesterday I noticed that someone used a Paypal "Guest" checkout with my bank details (IBAN) via SEPA to buy goods worth ~60€ and ship them to an old address of mine. The purchase was made at a small online shop.

I received an e-mail from Paypal (the real one) confirming the purchase and the charge shows on my bank account today. I also received an order confirmation of the shop per e-mail. I called Paypal and they confirmed the transaction but couldn't reverse it.

So someone used my, apparently leaked, e-mail, IBAN and address to order something in my name.

Additionally, I received another order confirmation from the same shop. This order was paid in someone elses name and does not show on my bank statement. I did not receive a Paypal e-mail for the second order.

So someone ordered in my name with another persons bank details some additional goods.

In addition to that and at the same time, I received ~ 70 e-mails for newsletter registrations, maybe to mask the purchase e-mails.

I called the shop and they are reversing the first payment. The second payment wasn't made with my bank details so they'll hold on to that money for now in case the victim of that order reverses the charge themselves. Anyhow, I could also have reversed the charge to my bank account via SEPA and I believe the shop is legitimate.

What I don't understand is where this is going. The money actually reached the shop and not someone else. The refund should go through to me - or is there a way that the refund gets lost onto a scammers account? The charge (Paypal guest account) is linked to my e-mail address, which they do not seem to have had access to (yes, I changed the password anyways). It's also my bank account linked to the purchase.

Has anyone seen something similar or any idea what the goal could be?

---

Update:

The money has been refunded and shows on my bank account, so it's also not a refund scam of some sort. It remains mysterious. The only ones potentially benefiting from this would be the shop if I didn't notice anything. I don't think they are in on it, but will probably never know for sure.

Answer 1

Purely as a guess: testing that your credentials work, and testing whether you are paying attention. If they know they can get away with this, they can set up a repeated slow drain on your account and you might never notice it.

Answer 2

Just an idea. When they get the email + IBAN info, they don't know yet if Paypal is allowed to emit IBAN transfer on your account.

Typically, in France, a company can not emit a transfer without prior explicit consent (which is a minimum security, better than nothing).

They don't care about the money and the good they have ordered. They needed to know if Paypal is allowed to drain your account or not.

How do they know if it worked

They have created an order on a shop that either:

1. Allow "anonymous" customer, that is, with only an order number, you can check the order status and delivery. In that case, they only need to connect later on to check if the order was canceled.
2. Allow to create an account with some email and a payment form with another email. In that case, you can ask the shop for the customer informations they have for that order, you'll likely get their email account (but this is likely of low value, temporary email).

How can they gain money

They won't gain money from you. Because you've reverted the transaction, it means that they'll see the order was cancelled. They don't care if it was cancelled because the IBAN account is wrong or because you're monitoring it, this simply mean they can move on to the next user in their list.

If you hadn't reverted the transaction (because you haven't see it), they would have seen the order delivered (and returned or not). This means you are negligent and they can then process further with level 2 scam (see below).

Level 2 scam

Once they know you're negligent, they only need to set up a (dumb) company using Paypal for checkout and selling services. They'll then set up some transactions for this company on your account. Since it goes through Paypal, and not through their company, your bank will accept the SEPA's transfer. They'll simply collect the money directly then.

Please notice that if they directly tried this with their stolen user list, many transfer will be reverted, leading to being banned by Paypal for fraudulent behavior. Doing the first step filtering with a legitimate company moves the "bad" behavior ranking onto it, not their.

What to do now?

Ideally, ask the bank to change your bank account (or open another bank account). If you can't do that, blacklist paypal from your allowed SEPA company, so they won't be able to use Paypal for their actions anymore. If you have other payment processing company allowed on your account, you should blacklist them all (like Stripe, ...). SEPA is made for direct transfer, it's not a tool that can be used by payment processing platform, since you can't identify the source anymore once it's on your account.

Answer 3

This may be some new and obscure variant of the brushing scam: fake orders for goods that someone uses to enhance the online reputation of the vendor. This was more common around 2020. The idea being that the fake order enables the scammer to write a fake review of the vendor on the online platform and it passes muster as a "verified purchaser". After building up enough of a reputation they have a better chance of pulling off a variety of other scams. The fact that they had sufficient banking information to actually submit a transaction on your account is concerning. I see you've already changed you email password. If it were me I'd close out my bank account too, and set up 2FA for everything.

Answer 4

xryl669 answer about testing if the bank details are correct (they have probably bought many records, but as noted, it's old information), by validating if the sale goes through via a link provided by the shop seems spot on. However, I'm not convinced that the final goal would be to create a shop selling services through PayPal.

They could be trying to redirect the shipping to another place, as it's sometimes done in scams, but they don't have access to the email, and it seems odd that the shop would provide the required tracking code on the initial step. It might be in the order status page, though.

I first thought it was an error, but now I suspect there is something going on with the second order.

The first order uses your e-mail, IBAN and physical address. So far, it is consistent. However, the second order uses your email (or perhaps an account created with your email) but a different Name and IBAN. It may have used your address or not.

If the buyer changed the victim being impersonated, it shouldn't have used your email address. This looks like trying to trick someone by making an order with what looks like a previous successful customer. The obvious target would be the shop (if the goods are expensive enough), but it might be some other entity.

‎

Note you should file a police report, even though you didn't lose money this time. The fraudulent use of your data (and likely of many other victims as well) is illegal by itself, and there may be more attempts to either deduct money from your account or even link you to some other fraudulent operation. The report should help you there.

Of course, I would also review the bank account transactions of the past months, to see if there were any other entries you don't recognize, and watch for future attempts. I would also recommend requesting that the bank provides you a new IBAN (the police report may help in that).