Saturday, June 17, 2017

PayPal: a cautionary tale



I am treasurer for a small NGO called BODHI. We get a few donations via Paypal.
Recently I made an error in the code for PayPal payments on our website. It meant people couldn't successfully send us money through PayPal though it looked like it was possible. On one day, in response to an appeal, three people sent an email to say they had each made a donation on Paypal. At virtually the same time I received advice from service@paypal.com (a legitimate Paypal email address) of these donations.

However BODHI never received any money. As I had made an error (now fixed) it was very embarrassing. I felt mortified, and contacted all the donors to explain they may have been defrauded. In the end, thankfully, no one lost any money. The funds people had tried to send to us were returned. They were not stolen.
However, before I knew the full explanation I thought the website (which I maintain) had been hacked. But I could not understand why a hacker would arrange software to send me a message notifying of the donation and thus, a potential problem. It would be much more clever if they could trick donors into thinking money had been sent but without letting me know. After all, not every donor would email me to let me know.

So I turned to the PayPal help site. It proved an utter waste of about five extremely frustrating and anxious hours. I gradually realised I was dealing with algorithms, not people.

The "report a problem" section in the PayPal website forced me to allocate the problem into one of a very small number of categories. But none of the categories exactly fitted my problem.

There was an option to send the problematic email (the ones from Paypal advising the donation) to an address to see if it was a phishing email (presumably also processed by some form of "artificial intelligence"). The emails I sent were duly reported as phishing - even though I knew the donations were genuine (and I personally knew the donors).

As my problem didn't fit well into any of the 3 or 4 categories that were provided I was stuck in a meaningless loop.Obviously algorithms cost less than real people.

Eventually, I got to speak to a real person. She proved no better than dealing with an algorithm; she lacked the listening and possibly the reasoning (and language) skills to follow my argument. She told me the same as the automatic email responses; that we had been hacked and the emails my friends had sent me were phishing attacks. But they weren't.

We still have PayPal on our website - even though they charge over 3% for small donations. We don't want to discourage donors of course.

I have written this in the hope it might help others who are in a similar position.