What is the PayPal Key and how did a hacker make one for me?

How can you use PayPal Key safely and can a hacker get into your account?

Until recently, Robin Shermon had never even heard of the PayPal Key. But a few days before Christmas, she quickly learned all about the new virtual card in the most unpleasant way. That’s when she discovered a hacker had created a PayPal Key and made a $2,000 purchase using her cash.

Now Shermon hopes that the Elliott Advocacy team can get her hard-earned money back.

Elliott Advocacy is underwritten by World Nomads
-- World Nomads travel insurance has been designed by travelers for travelers, to cover your trip essentials. Even if you run out of travel insurance or leave without it, World Nomads can cover you. We don't just keep you and your family protected, with us, you'll travel smarter and safer. Get more information at World Nomads.

Can we do it?

“I don’t even know what a PayPal Key is!”

In the middle of all the hustle and bustle of the holidays, Shermon woke up to several unexpected PayPal alerts.

“The first one said I had signed into an unknown device,” Shermon recalled. “I had been sleeping, so I definitely had not done that.”

Curious as to what was going on, she signed into her PayPal account. She quickly noticed two more alerts. One of these congratulated her on creating a new PayPal Key; the other advised that her first purchase was pending.

Shermon continued reading through the emails and the documentation in her PayPal account with growing dread and confusion.

“Someone used ‘my’ PayPal Key and made an online purchase at the Apple store,” Shermon reported. “$1,999 was pending from Apple — in Hong Kong!!”

Shermon had never even heard of the PayPal Key before. So she began a swift investigation and soon realized someone had hacked her account from halfway around the world. While she slept in New York, the hacker created a virtual payment card. Using funds Shermon had allowed to accrue in her PayPal account, the thief made a giant purchase in Hong Kong.

“I assume they ordered themselves a computer,” Shermon surmised. “But when I called Apple, they told me the PayPal Key purchase information I had was encrypted. They could not tell who or what was purchased – even though the hacker used my money.”

Shermon’s next move was to ask PayPal for help.

Unfortunately, that would prove to be an impossible mission. We’ll get to that fiasco in a moment.

But to fully understand what happened, here’s a brief explanation of the PayPal Key.

What is the PayPal Key?

The PayPal Key is a new payment option offered by the money transfer company. It appears to currently be in beta mode and isn’t available to all users.

  1. How to get a PayPal Key
    If your account is one that allows for the creation of the Key, you’ll see that option in your PayPal Wallet. Just click on the PayPal Key and you’ll receive a virtual card number, expiration date and security code.
  2. Where you can use your PayPal Key
    The PayPal Key functions as a virtual Mastercard. You can use it online anywhere that Mastercard is accepted — including places that don’t accept PayPal payments. Additionally, you can make purchases over the phone. But it’s not possible to use a PayPal Key in person at a brick and mortar establishment.
  3. The PayPal Key is not a credit card
    The PayPal Key is not a credit card. There is no application or approval process to be eligible for a Key. Since it isn’t a credit card, you must have available funding in your account to make any purchases.
  4. Your PayPal Key and temporary holds
    It’s important for anyone who uses the PayPal Key to read through its entire terms and conditions. Of particular note are the clauses that allow merchants to place holds on the user’s balance that far exceed the purchase cost. These holds that PayPal calls temporary can linger for 30-60 days. During that time, the PayPal user will not have access to any of those funds.

A hacker created this PayPal Key — I need help!

But Shermon had never asked to create a PayPal Key. So she assumed that PayPal would quickly reverse the charge and delete the virtual card from her wallet.

She was only half right.

When Shermon reported that a hacker had created the PayPal Key and asked the company to help her, the agent swiftly deleted it and locked her account. She asked about the pending charges, to which the representative explained that the case was “in review.”

Shermon’s frustration was growing. She wondered why the agent was unable to block what was still a pending transaction.

But within an hour, she was relieved to receive a text message from PayPal. It had declined the $2,000 fraudulent transaction.

PayPal: Apple com/HK purchase declined because you used deleted PayPal Key *****. To get a new key got to *****.

That relief was short-lived.

PayPal had deleted the hacker-created Key and declined the purchase. But then…

After receiving a follow-up text reiterating that PayPal had declined the transaction, Shermon received a third notification. She could not believe her eyes as she read the announcement that now PayPal had approved the purchase in Hong Kong. The deduction of the $2,000 from Shermon’s account was no longer pending.

Her money was gone.

“Why did PayPal approve this fraudulent charge?

Shermon went back into the resolution center. Through the chat feature, she tried to find a human to engage.


Then a few minutes later, Shermon received a new email from PayPal.

Case Closed: Transaction not covered
Thank you for reporting this case. After reviewing your case, we found that the reported transactions were not unauthorized and hence couldn’t be covered under PayPal Purchase Protection. (PayPal Resolution Center)

Transactions were not unauthorized?? Shermon’s blood began to boil. She hadn’t authorized anything. PayPal approved the fraudulent Key transaction after she had repeatedly reported the crime.

MY CASE WAS JUST REJECTED. IT IS FRAUD. THIS IS SHOCKING! I need the following information for the police: What was the PayPal Key number that you authorized that allowed a hacker to make this web order?



Except for another email repeating that PayPal considered the case closed, Shermon heard nothing further from the company.

Her next stop? She headed down to her police station and filed a report of larceny. Then Shermon sent her plea for assistance to the Elliott Advocacy team.

Asking the Elliott Advocacy team for assistance

Just days after Christmas, Shermon’s request for help landed in our inbox. She had read about the case of Isaac Benzadon. A thief had stolen money from his PayPal account as well (See: Someone took money from my PayPal account. How do I get it back?)

Shermon hoped that we might be able to help her in the same way we helped him.

Like one of your readers in your article on PayPal, I was hacked. $2,021 was sent to Apple in Hong Kong. The hacker opened a Paypal Key and took my entire balance. I am so frustrated with Paypal and I am thrilled with the prospect of you assisting me. I still have yet to speak to a human over the phone. They claim they see no “unauthorized transactions” on my end.

When I looked over Shermon’s paper trail, one thing was clear to me: She had not been speaking to any humans. There was no way a real person at PayPal would have approved this payment after her repeated reporting of the fraud.

I was sure that Shermon had been “talking” to bots at all times. So it was time to ask an actual human at PayPal to take a look at this debacle.

The good news: PayPal will refund this Key charge

The Elliott Advocacy team has a very helpful, real person at PayPal who is always willing to review the cases we send. I was sure that she would want to have a look at Shermon’s dilemma.

Hi ******!

I hope you’re having a lovely holiday!

We have a PayPal customer here with an unusual problem. I haven’t encountered this “PayPal Key” before tonight. But this customer says that she got an alert that a hacker had created a PayPal Key from her account and then purchased a $2,000 item from the Apple Store in Hong Kong. She called PayPal right away and reported it as fraudulent. PayPal declined the charge two times and then, for some reason, on the third day, approved it.

Unfortunately, Robin had a cash balance in her PayPal account and this transaction drained it. It looks like she’s been dealing with chatbots and not real people at PayPal who told her that her case was rejected. She’s filed a police report and tried to get a human at PayPal to review the problem so that the Apple store in Hong Kong might be able to stop the shipment. But she has no specific information about the purchase.

Could you see if your human team could take a look at this one and find out what’s going on here? Thank you!😊 (Michelle to PayPal)

And the good news for Shermon came quickly. After a brief investigation, the real people at PayPal saw what the chatbots could not. Their team agreed that Shermon was a victim of a hacker — she had not authorized the giant purchase in Hong Kong.

The bottom line

Hi Michelle!!!! PayPal just transferred my money back to my account!!!! I cannot thank you enough. I’m so, so, so beyond grateful for all that you’ve done for me!

You were the only one that could help me!!!!

And with that, Shermon closed out the year for the Elliott Advocacy team as our final success of 2020! Goodbye and good riddance 2020 — onward to 2021!

How to protect your PayPal account from hackers

Our case files suggest that hackers love to target PayPal accounts. But, by taking a few simple precautions, you can protect yourself — and your cash — from these thieves.

  • Make sure your password is unique
    Many consumers use the same password across many sites. Thieves know this. Remember, if you use the same password and a hacker gets into one account, they’ll be able to get into many of your accounts. Your problems will be instantly magnified. If keeping track of a separate password for all your accounts sounds daunting, consider using a password manager. Those programs can do the work for you.
  • Turn on 2-step verification
    If you want an extra wall of protection between you and online predators, turn on 2-step verification in your PayPal account. Each time you sign into PayPal, you’ll receive a new, temporary six-digit code to your phone. Unless a thief also has access to your phone, 2-step verification will foil any hacker’s attempt to grab your cash.
  • Don’t leave funds in your PayPal account
    PayPal is not a bank account and you should not use it as one. The regulations that apply to money you keep inside an FDIC insured bank do not apply to balances inside your PayPal account. Although unlikely, if PayPal should suddenly go out of business, your money could go with it. The FDIC does not protect users’ balances from the risk of PayPal’s insolvency (Source: the PayPal user agreement). And don’t forget, when you leave sums of cash in your PayPal account, you’re leaving yourself vulnerable to hackers.
  • Don’t leave direct access to your primary bank account
    Guess what happens when you store your bank account information in your PayPal account and a hacker gets inside. The predator has direct access to your bank account and the results can be disastrous. The criminal can easily transfer funds from your bank account into your PayPal account and then quickly send those funds to their own account. If you frequently use PayPal to receive payments, creating a secondary (intermediary) bank account is a critical safety measure.
  • Keep a frequent eye on your PayPal account
    Infrequently monitored or dormant accounts are a hacker’s dream. Sign up for activity alerts on your PayPal account and make sure you always read them to find out when PayPal detects unusual activity on your account. But…
  • Don’t reply to activity alerts
    A frequent tactic of online predators is to send out phishing emails that look like the real thing. These emails alert you of suspicious activity in your PayPal account and ask you to reply directly to the message. When an unsuspecting account holder replies, the next screen asks them to enter their login credentials for security. Now the criminal has all the information necessary to hack into the victim’s PayPal account. Any time you receive such an email, do not reply to it. Instead sign into your account (not through any links in the email), and confirm what’s really going on.
  • Contact a real person at PayPal
    Many businesses, including PayPal, are operating at reduced staffing during the pandemic. If you have an urgent problem and need to speak to a real person ASAP, the Elliott Advocacy research team has your back. Here are the executive company contacts at Paypal that you can use to make sure you don’t get stuck in a frustrating conversation with a chatbot who has no ability to actually help. (Michelle Couch-Friedman, Elliott Advocacy)