I had the most nerve-wrecking morning today. It's my habit to automatically check my phone for notifications upon waking up. It's the first thing I do before washing my face and brushing my teeth. And thank goodness I formed that habit. Imagine my surprise when I saw the email from PayPal saying that I sent a P10,000 payment to a certain Cherisse Orong. I knew I didn't make that transaction as I was still lounging in bed during that time and I certainly didn't know any Cherisse Orong. So I logged in right away to my PayPal account to double check and ta-da, the transaction was indeed in my history and the status was completed (I couldn't cancel it anymore). First thing in my mind was to report it. The thing was I couldn't report the transaction as fraudulent right away since PayPal's system was asking me to wait for thirty minutes so that I will receive some email from the merchant about my "purchase". After a few minutes, I started receiving emails about my cards being removed from PayPal and then I suddenly couldn't log-in anymore. A few minutes later, I received another email saying that the primary email address of my account was changed. I was panicking already and on the verge of crying when my dad told me to get a grip of myself and start cancelling my credit cards.
So I called Bank A first where the P10,000 was charged. The phone conversation was smooth and fast. They told me that I will receive my new card in a few days. And then I called Bank B just to be on the safe side since my Bank B credit card was also linked to my PayPal account. It took the agent several minutes to understand the concept of PayPal. She initially refused to have my card replaced since my card was not really lost as it is still with me. She could not understand that my credit card details were connected with PayPal and since it was hacked, I want my card changed for security purposes. I was so upset that I started asking for her manager since she couldn't understand the reasons of my request. Imagine my anxiety when I couldn't fix this right away and I really felt like time was ticking because this guy who hacked into my account was moving very fast. After several more holds, my request was finally done.
Next call was to PayPal. I only got their number because my dad changed his password and they sent him an email that if he did not request for the password change, he could call +14029357733. So I called the number and I was a bit frustrated since the PayPal answering machine kept on asking for my phone number that I used in PayPal. I wanted to talk to someone, a real live person.
Machine: Thank you for calling PayPal. Do you have a PayPal account?
Machine: Please state your phone number when you made the transaction.
Me: I don't have a number.
Machine: Did you make a transaction with PayPal?
Machine: Please enter the phone number you used with Paypal. Or say I don't have it.
Me: I don't have it.
*frustration levels elevating*
Me:I want to talk to someone.
Machine: Do you mean agent?
Me: Yes, I want to talk to an agent *exasperated*
(Note: The answering machine system of PayPal was actually quite impressive but a bit frustrating if you're in a hurry.)
And soon enough I was transferred to an agent. The girl was actually helpful but customer service manners were not that great. It's not that she was rude, she just failed to inform me when she's looking something up or doing something because there were several times I felt like the line just died. When I gave her my email address, she couldn't track my account. Good thing PayPal emails you the details if someone adds an email address to your account so I saw the culprit's email address. When I gave it to the agent, she was able to track the account. Fortunately, after verifying some of my details, she was able to give me back the control of my account. Afterwards, I changed my password and waited for the resolution of my dispute, which can take up to seven days.
And by early evening, I received an email from PayPal that my dispute was already resolved and that they will reverse the transaction on my credit card, which may take a few days *big sigh of relief*.
So overall, I am happy with how PayPal handled my problem but I still won't be using their service anytime soon.
Tips and Lessons Learned:
- Do not connect your credit cards with PayPal. Or if you do, remove them right away after a transaction you made. I have this lazy habit when I go online shopping where I don't want to retrieve my wallet every time I pay so I saved my card details in PayPal. My cards were linked to PayPal for years but this is the first time this happened to me. The thing is once anyone has access to your account, they can go on a major shopping spree. So better be safe than sorry.
- Be careful of phishing emails. I'm not sure if I stupidly clicked on something before this happened but there's none that I can recall.
- When logging in to any website, log-in by opening a new tab and don't log-in from any of the links from your email.
- Always log-out after your session.
- Have different passwords for your different online accounts. I double checked if I had other accounts in other websites with the same password and thankfully, I stopped having universal passwords a year ago.
- If you notice anything suspicious, report it right away. These scammers work really fast and it's best if we put a stop to their doings right away. Don't think of the cost implications of calling overseas. Do it and do it fast.
History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did.
— Bruce Schneier