PayPal supposedly has a "refuse payment" button, but it works differently for "verified" and "unverified" accounts.

Now, if this was a bank to bank ACH transfer, the recipient could just refuse the credit. There's an error code for this situation: R10: “Customer Advises Originator is Not Known to Receiver and/or Originator is Not Authorized by Receiver to Debit Receiver’s Account”.[1] You can contact your bank and refuse an incoming ACH transaction, which will generate this.

This is different from sending money back. It says to the banking system that the transaction was rejected and did not complete. So you're not sending the unknown originator your money. You're refusing to take their money. This eliminates the possibility of a reversal from their end costing you money. It also marks the transaction as an error in the banks at both ends. This is useful, because many errors on an account are an alarm condition and will get the attention of some fraud department.

If you have to reverse a transaction, do it fast. There are time limits for the simple paths.

(A friend of mine runs a bank branch of a major bank. Much of her day is spent straightening out error situations like this.)

[1] "https://www.nacha.org/rules/differentiating-unauthorized-ret...

What if the recipient transfers the money to their bank account immediately?

In the USA there is no such thing as transferring money immediately between banks

That’s less true than I used to think.

I once accidentally ACH debited the wrong person’s account at a different bank.

There was no real way for me to stop the transfer without doing extremely bad things involving having my bank report me to law enforcement.

So, I ended up sending the money back via a second transfer. That’s problematic, since the first transfer I performed was certainly unauthorized and could have been clawed back by my accidental victim (I trusted them, and I was 100% at fault, but that’s not the point.)

The whole experience was bad all around, and I thought ACH was designed to handle exactly this class of screw up.

Sure there is: Zelle.

Most major banks are apart of the Zelle program and you can send your contacts funds easily and quickly. I get notification of family sending me funds pretty much immediate with confirmation of deposit within a few minutes even for a few thousand.

Zelle does not actually guarantee that your payments will go on the fast path. If you send a payment after-hours or to a new recipient that scores too high on some opaque fraud metric, it will be sent like a normal ACH with a few business days of processing time.

Sure there are some situations where it takes a bit longer. But I was responding to the statement saying there are NO immediate ways to send money in the US and that’s straight up not true because often enough Zelle does work, especially using it with existing contacts as I had said.

Also, Apple Pay is often immediate but has taken like 10 minutes as well so that could vary.

> In the USA there is no such thing as transferring money immediately between banks

... In Europe there I? What's your point?

Yes, India and China as well.

You open your banking app, enter their bank and account number, the amount to transfer, then somewhere between seconds and a couple minutes the money arrives.

Yes, there are transfers which finishes well within a minute, between banks. You can eat pizza and spit by doing a transfer yeah.

Not until FedNow in July, at least.

I don't know what that is, but i'll eat my hat if JP Morgan Chase Bank Manhattan switches from batch transfers to FedNow this ~~year~~ decade.

I've read that the scam is that they will ask you to send the money back. If you do, you'll be out of the money because the money they sent you will disappear after a while because Paypal pulls it back (probably because they sent it to you from a stolen credit card or something like that)

Thanks. There must be quite an operation behind this then to make it viable.

Input: stolen credit cards, email addresses to send to, email addresses for opening a PayPal account.

Attrition: credit card gets blocked, PayPal email gets blocked, recipient doesn’t react or doesn’t send the money back, recipient won’t fall for it twice.

5 Euro per successful attempt — 200 successes per 1000 Euro (minus the cost for acquiring credit cards and email addresses) — sounds like a low margin business.

Google “PayPal duplicate money trick”. People are actively sending money from their own account to PayPal, claiming it fraud and doubling their money. They don’t care if they get locked out if they make $500-$1000. Change the input from their own money to a stolen PayPal account. It’s a payday for them (that eventually comes back to haunt them)

But, why use a random person’s paypal account as the destination?

I think the key to this scam is to send fake emails pretending to be paypal. So you email someone "hey i accidentally sent you money, can you send it back" and then you also send from your paypa1@gmai1.com email address something like "so and so sent you money on paypal, spend it right now wow this is amazing". Paypal is never actually involved until you send them money.

(I think these are all Zelle scams these days. I don't really know what Zelle is, but it seems like all the banks got together and were like "how can we really screw over our customers?" and this is what they came up with. You really can't reverse transactions? Why would I use a bank for that when I can easily lose all my money to scams with Bitcoin? It's so crazy to me.)

With great power comes great responsibility. Non-reversible transactions are dangerous in the sense that you can't reverse them, but that's the case with cash (not to mention handing over physical goods). But it cuts both ways: it means if somebody pays you what they owe you, there's no way for them to claw it back later.

tl;dr Want a permanent transaction? Use cash or Zelle. Want the ability to reverse a transaction or dispute a charge? Use a check or credit card.

It is good for stuff like craigslist or splitting checks.

The following scam works with craigslist + paypal, but not zelle:

You sell me an expensive item. I paypal you the money. You check your account and see that the money landed. I walk away with the item and immediately reverse the paypal transaction.

Note that the “I sell you a stolen/broken thing that will definitely be traced to you” scam works on both paypal and zelle, since the time to discovery of the scam is long enough to pull the money out of PayPal.

I’m not sure how hard it is to set up a burner zelle account and use it for untraceable crimes. It’s apparently easy to do that with paypal.

But, to your point, yes, they’re both pretty terrible services from a consumer protection standpoint.

When your time is cheap, making a few bucks a day scamming probably beats working all day carrying bricks or working in a diamond mine, or whatever.

Some of them are also not actual PayPal links they’re just phishing emails that’ll steal your credentials if you click through and try to sign in

We've had a variation of this attempted when trying to sell a vehicle online. The scam is not specific to the item being sold, because they have no intention of picking it up. Rather, you are sent a realistic Paypal money transfer notification, and are asked to put most of it (since the amount is higher than the purchase price) into some sort of Moneygram transfer "for the person who will pick it up."

Paypal has an email listed on their site, IIRC, where you can send these, and it will tell you if it really came through them. Ours had not.

> https://en.wikipedia.org/wiki/Overpayment_scam

I had a similar fraud that PayPal is somewhat complicit in because how how their system works:

I get an official PayPal email. But it’s on behalf of a vendor who is asking for money. But they’ve carefully crafted the request to look like a receipt. As if I’ve already paid $300 for textbooks and this is my receipt. But just a few unwitting clicks and I’ll have accepted the transfer request.

I have been getting a few of these per week for the past couple of years. It’s really frustrating as the payment request comes from PayPal so won’t be flagged as spam, and there’s no way to “unsubscribe” because you get the email whether you have a PayPal account or not. I keep forwarding them to phishing@paypal.com and nothing happens. At this point, I would definitely consider PayPal to be complicit.

For every email, I would send an abuse complaint to the registrar on their whois lookup, which right now is Markmonitor [0]. I have done this to get one spammy website's emails shut off before, when they weren't including unsubscribe links. Of course they were back on their same bullshit weeks later, but I was able to unsubscribe successfully.

IDK, maybe PayPal is too powerful or whatever they're doing here is technically legal, but it is worth a shot.

[0] https://www.markmonitor.com/legal/abuse-policy

Data is everything in 2023. Paypal absolutely knows exactly how much money they are getting from these types of emails. It shouldn't be much work to find that in their sent folder.

I dont understand why the courts dont treat this as fencing, or wire fraud.

PayPal makes it absolutely simple for anyone to generate an invoice. I sent a package to my friend out of state, and I invoiced him for the shipping charges just as a lark, and he duly paid his bill. We'd pre-arranged it all, so everything was legitimate, but all I needed was his email address.

Tangential story...

I had a Northwest Airlines VISA card in the early 2000s.

One day, I noticed a USD $6,000 deposit. I sent a message to customer service that something was wrong.

The next day, I noticed a $5,800 withdrawal. At this point, I called customer service.

They removed the deposit right away, but I had to engage repeatedly to get the withdrawal off my statement. I think this involved some kind of written statement.

I've also had Discover call me, asking if I ordered a $1,200 television off Newegg, and they sent me a new card when I replied that I did not.

I have no idea what happened in either case.

I don't have any experience with this, but maybe they found a store or something that they could use to get a refund to a specific card and they used your stolen debit card info to get the refund and then proceed to spend it all hopefully before the card holder notices.

In the case of the television id guess someone used your card number to place an order and the transaction got flagged.

In the past this has happened to me because I have a "givenname.surname@gmail.com" email address and a relatively common name. The other people frequently misspell or forget their email address and end up with mine. I get occasional money sent via paypal but also all kinds of other email. I get a pretty clear indication of which companies don't bother with an email verification step.

At one time (may still be the case?) someone created a Facebook account with my email address and I was able to click on a link and be logged in as them.

I'm a paranoid nerd enough that this was an actual conversation I had with my wife - should we give our kids a name combination unique / obscure enough to mitigate the risk?

What drives me insane is that 99 % of companies send "please confirm your email address"... And then have NO link to say "that's not me!". You can click for positive confirmation but you can click for negative confirmation. And they keep the account even though it's unverified email. Even though I never verified the email, I'm subscribed to ridiculous amount of Financial, retail and other services throughout Europe due to this issue (people inadvertently subscribing with my email address).

Personally I think a non-unique name is best for security concerns, all things considered. You don’t want one ex-boyfriend or whatever to be able to find every last trace of your online existence, trivially, for the rest of your life, just by knowing your name. It is better that it’s going to be mixed in with tons of chaff from all the other Greg Jacksons or Catherine Williams (or whatever the applicable culture’s normal names are).

> And then have NO link to say "that's not me!"

I add those destination email addresses to the system filter as a hard reject. I assume the other end will get the message eventually.

Even having a "it's not me" link doesn't always help if they use a different email each time - for a while, I was getting 3-5 Russian Instagram "confirm your email"s a week and the "it's not me" made no visible difference.

Kinda weird, considering the whole idea of double opt-in is to only start spamming you once you actively consent via e-mail action

It's not just marketing emails. I get invoices, quotes, proposals, contracts, dating site messages, all sort of things. None of those designers / sysadmins / owners apparently feel email should be verified before sending that stuff. Why bother with verification emails then? I haven't a clue.

not sending emails earns their companies $0. Sending emails ostensibly earns their companies greater than $0

Sounds like spam, I would mark it as such.

The email bothers me a little.

What bothers me a lot is that there's an active account attached to my email address with dozens of companies I did not choose to engage with. It as astonishing how few companies allow you to disavow an account created with your email (practically none. I don't have an instagram myself but my email account does.)

Marking their emails as spam just means I will no longer know what's being done "in my name" (with my email address). It doesn't aftually solve an issue in any real way.

You could always email the company, or just validate the email, reset the password and delete the account.

The latter is risky though; some sites use email validation as proof they should attest to the real world identity of the person that owns the account. (Github is one such example).

I imagine some site does that and also does not ensure that access to the email address is enough to reset the password and 2FA setup. (Come to think of it, Github is also an example of this.)

Either way, common courtesy would dictate waiting a week or so between emailing and nuking the account.

I’m in the same boat, although it hasn’t happened with any financial transactions yet. I get numerous emails that appear to be genuine - my (non-existent) Subaru is apparently constantly in need of service, and I supposedly work for a school in a different country.

I eventually had to register for Instagram just to stop one person from constantly signing up with my email address.

It boggles the mind though, because I can’t recall an instance in which I’ve ever mistyped or forgotten my own email address. How are people getting their email address wrong so often?

> How are people getting their email address wrong so often?

Invalid generalization from the process of signing up for email itself. When I sign up for Gmail, I choose an identifier I don't control (and computer says no if I get it wrong). Then this becomes my identifier. Likewise for usernames. So if emails are now usernames, why would the same process not apply? I choose an identifier I don't control. I put "@gmail.com" because it says to use an email address and that's what email addresses end with. Computer doesn't say no so I must have done the right thing. Rinse and repeat.

It's unfortunate that there's no legally required email confirmation before a company is allowed to spam you regarding someone else's transactions.

I have the same issue with Facebook - someone somehow is using my email address and I frequently receive login notifications. I contacted Facebook a few times and nothing happened. Now their contact form forces me to provide my DOB to submit a request. What does my date of birth have to do with someone using my email address? I’ve been considering logging in as this person to remove my email from their account, but I’m pretty sure this is fraud.

Sometimes people send money to me accidentally over PayPal. I’ve had great difficulty getting PayPal to return the money, never succeeded. Always been afraid to send it back myself in case the original transfer ever gets clawed back. So I’ll just have an extra $200 sitting in my PayPal account that I can never touch.

Surely, there should be some reasonable amount of time (maybe 2-3 years?) after which you can safely consider the money to be yours? Especially if you made a reasonable effort to return it.

Common scam format. Convince recipient to accept money, claim over-payment or accidental payment and ask for refund. Sender then claims account is hacked / check stolen etc and claims a clawback via bank or paypal etc.

The UK wedding photography industry has a version of this where a potential client sends a check for the deposit, and it far exceeds the amount required for the booking. They say the mistake is because they were supposed to book flowers etc and ask you to transfer the difference back asap. A year later it turns out the check was stolen or fake and the deposited funds vanish from your account and the culprit is long gone. It's fun to have them send the check, then pretend the police are now involved since you tried to deposit it.

I have never had the problem of random people sending me money,

The things you learn on the YouTubes…

It probably is a scam where they try to get you to let them log into your bank account and “accidentally” transfer too much money which you can conveniently return to them with gift cards. Or some variation on the theme.

There’s also some PayPal invoicing scam going around where they send random people bills through PayPal and use that to get the scam rolling.

If it were me I’d just ignore it unless they are sending real money to you, in that case I’d just consider it a stupid tax and keep the money after a while (in case of chargebacks).

I assume they will claim a mistake transfer if you claim and ask you to send it back to another account.

It’s a small amount of probably fraudulent money, but small enough that you might just do it. And I guess the hope is enough people do to make it add up to some good recurring income.

Would love to hear if there’s more to it than that.

I had the PayPal sender email and message me dozens of times begging me to return the money when it was sent in error. ($990)

“I don’t see any errors on my end, perhaps you want to take it up with customer service.”

I've had requests payments instead, which I obviously deny everytime.

No you don't.