PayPal is the most accepted way to make online purchases, as evident by recent reports citing PayPal processes more than $315 million in payments per day. It's no wonder that this popularity has also painted a giant bullseye on PayPals' back in the eyes of hackers worldwide. Compromised PayPal accounts are not only accessed for the account balance funds and financial information they contain but the accounts themselves are typically sold for quick cash.
We recommend taking prudent precautions to protect your PayPal account from unauthorized access, as well as using good "computer common sense" in general. The majority of PayPal accounts are compromised from phishing attacks or trojans on your computer.
Guard against being compromised in just a few simple steps
1. Anti-Virus: Use a good one and keep it up-to-date.
Always have a good anti-virus installed on your computer, and keep it up-to-date, both the software itself and the virus definitions, which should be updated daily if not every few hours. Most anti-virus software now also offers protection against trojans, suspicious attachments, and malware. If yours doesn't, consider either switching to one that does or use separate programs for that protection.
2. Firewall: Always have a firewall enabled on your computer.
A software firewall, such as the built-in Windows firewall, is better than nothing, but a hardware firewall (such as a network router) offers stronger protection.
3. Attachments: Don't open or download unexpected attachments!
This is still the number 1 way crackers gain access to your computer, and/or install a trojan on your computer. When it doubt, DON'T open it! If the sender is someone you know, verify directly with them. Even when the attachment does appear to come from someone you know, it may not be. Web-based email accounts (Hotmail, Yahoo, AOL, Gmail) being compromised to send SPAM has reached epidemic levels. Unless it's an attachment you're expecting - in the file format you are expecting - it never hurts to verify with the sender that they did in fact send that attachment.
4. Verify Sites: Verify you are on the site you expect to be on.
Before logging in or entering any information make sure you're on the correct site. Check the address bar, check to make sure it's secured by an SSL certificate (using HTTPS) and that the certificate is valid. You should receive a warning from your browser if it isn't. Read any warning you receive carefully. You should see a little padlock either in the address bar, to the left or the right of the URL in the address bar, or in the lower right hand corner of your browser (it's different with each browser).
5. Slow Down: Pay attention to what you're doing.
This is the biggest error you can ever make online is to hurry through things, get complacent and not pay attention to what you're doing. Read instructions carefully. Pay attention to each screen. if you don't understand a screen or error warning, re-read it slowly. This isn't a race, and slowing down to fully understand what's on the screen takes a lot less time than recovering from a hacked account or computer.
Use a Security Key with your PayPal Account
PayPal offers a way to help secure your PayPal account against unauthorized usage, by using your mobile phone! PayPal will send a text message to you each time anyone (including you) login to your PayPal account. The text message will contain a 6-digit security code, which you enter into the PayPal website as a part of the login process. It only adds an extra 2 minutes to the login process, and the extra security is well worth the time.
1. Login to PayPal.
2. Under My Account -> Profile -> My Settings -> Security Key Click the "Get started" link to the right.
3. Under "Order or activate a security key" click "Get security key."
4. Click "Register your mobile phone", enter your mobile number, then click the "Agree and Register" button.
PayPal will send a confirmation to your mobile phone. Follow those instructions and your security key will be set up. Be sure to activate your security key on the PayPal website. You can deactivate it at any time.
When you login to PayPal, you'll be presented with this screen (the orange button will initially say "Send SMS"):
Click the orange "Send SMS" button. In just a moment you'll receive a text message on your phone, containing a 6-digit code. Enter it as shown and click "Submit", and you'll be taken to your PayPal account.
Skip the Security key step
What happens if you don't have your mobile phone with you, or your cell service providers' network is having problems and you don't receive the SMS?
You can skip the security key step by either hovering over "Didn't get the code?" and clicking "Skip security key login this time", or by clicking "I don't have my security key with me."
You'll be required to give an alternate means to prove your identity, such as providing your drivers' license number and the last four digits of your social security number. This assumes that you've given this information to PayPal previously, so they can verify this information.
Be aware that if you set up a PayPal security key, and you use external financial services such as Mint, Outright, inDinero, etc that aggregate your accounts and include your PayPal balance in your financial accounts, only Outright is set up to list itself as a "Service Provider" in PayPal and can access your PayPal balance. Unless a service is listed as a service provider that services' login to your PayPal account will fail. As of this writing, there is no way to manually add a service as a service provider in PayPal, it's something that needs to be written into the services' script itself.
We try to provide as much information as possible to help our clients, but any PayPal specific questions should be submitted to PayPal support.