How to secure PayPal

With hundreds of millions of users around the world, PayPal has long been an international leader in the electronic payments industry. But as we know, money never fails to attract fraud, especially now, with as much of life as possible taking place online. Here is what you need to do to stay safe when sending or receiving money through PayPal.

How secure is PayPal?

As a matter of fact, PayPal is quite a reliable platform that maintains a high level of security — and keeps improving it. Thus, the company has an official program deploying white hat hackers to unearth vulnerabilities (the so-called bug bounty), under which it has already paid out almost $4 million since 2018. The program also covers several other services owned by PayPal, such as Venmo.

PayPal also treats its users’ data responsibly: It did have one reliably reported leak, in 2017, but the leak involved the infrastructure of a company PayPal was acquiring at the time. And all payments within PayPal are based on e-mail addresses, so users never have to share their bank details with vendors.

Technology aside, we cannot ignore the human factor. Even though PayPal does a lot to secure its users’ transactions, users themselves sometimes make mistakes that cost them real money. To avoid their fate, follow these simple rules.

Protecting your PayPal account

Protection against hacking in PayPal

First, make sure your PayPal account has a reliable password. Reliable means long, unique, and hard to guess. If you use a weak password, or use the same password for lots of accounts, then your PayPal account will be vulnerable to brute-force attacks or credential stuffing. Crafting a good password isn’t hard — here’s how — although managing a bunch can get unwieldy. Regardless, you may find refuge in our password manager. It will do both: generate reliable passwords and safely store them.

With finances at stake, it pays to be on the safe side. Do not fail to activate two-factor authentication. With PayPal, you can receive one-time codes in text messages or generate them in an application — whichever authentication app suits you best. The app-based option is generally considered more reliable, but any second factor is better than none at all, so if you strongly dislike using an authentication app, at least use one-time codes delivered by SMS.

Think twice about your secret questions and answers, too. Your grandmother’s maiden name or your first school probably isn’t hard to learn from your social network accounts; questions like that offer feeble protection. You can be more clever than that. For example, instead of using the name of your old school, fill in the answer of one of your relatives or friends — just don’t forget what the right answer should be. For safety reasons, we recommend using Kaspersky Password Manager for that as well; it also stores encrypted notes, not just passwords.

In addition to ramping up authentication, make sure you have notifications set up so they work right for you. Enabling mobile push messages about outgoing payments will probably be the most useful measure in terms of security. That way, if someone breaks in to your account and begins spending your money, you’ll be sure to learn about it, and put a stop to it, right away.

A somewhat less-intuitive addendum: Even though you’re receiving notifications, you should perform a manual check of your account and transaction history from time to time. If you find PayPal reporting transactions you clearly didn’t make, change your password and security questions and contact PayPal’s support immediately.

Vulnerability protection in PayPal apps

Software is written by people, and people make errors, and errors become vulnerabilities that cybercriminals can exploit. As we mentioned above, PayPal spends big money to search out such vulnerabilities — and probably even bigger bucks to purge them from its products and systems.

But for the resources that PayPal continuously invests in your protection to work, you will have to put in a small amount of effort. Namely, never skip smartphone app updates. (Desktop users have to use the Web version of PayPal, so if you use that, you have another reason never to skip browser and OS updates.) Install all updates as soon as they come out.

Do not forget to run antivirus scans on the devices you use for PayPal — your PC and your smartphone. When your money is at risk, no precaution is too small.

Cyberattack protection in PayPal

Always remember that public Wi-Fi is bad (meaning unsafe). Never use it for financial transactions without ensuring you have a secure connection. If you are pressed to complete a transaction while using free Wi-Fi at a café or airport, first establish a secure VPN connection and only then open your PayPal app.

Use caution with incoming e-mails that seem to come from PayPal; they may pose a phishing threat. PayPal has long occupied a place at the top of the list of brands most targeted by fake e-mail scams — and why wouldn’t it? Fraudsters follow money, remember? Use standard observation techniques to detect phishing: Carefully check the sender’s address and any links in the message.

Better yet, do not click any links at all. Instead, enter PayPal’s address in your browser, log in, and check whether you have any notifications in your account. If you have none, the letter is very likely fake.

And, most important, never enter your PayPal account credentials if you have even a shadow of a doubt about the legitimacy of the letter or website you find yourself dealing with.

Some recommend using PayPal from a browser or even separate device used solely for that purpose. We think that’s a bit much. Instead, use the Safe Money feature in Kaspersky Internet Security to ensure your money will never be stolen when making a payment.