PayPal employee here (and I'm hiring Node.js developers :P ).
I actually got two of these messages while I was out for the holiday break. I don't work on the team that handles invoicing; but, I (among others) made them aware of this issue and they are definitely working on a fix.
The challenge, of course, is that there are plenty of legitimate reasons for sending $0 invoices and we don't want to artificially make our product worse for our many legitimate customers by going too far in trying to stop this spam.
Genuine question: What are the legitimate uses of $0 invoices? The only thing I can think of is a product that usually costs money (and thus has an invoice workflow), but has been marked as free for some promotion.
In the case of periodic invoicing but you haven't crossed into the billable threshold.
Let's say you get 2 hrs of support per month free, after that it costs $100. If you don't use the full 2 hrs, you'd get a $0 invoice - but there may still be detail and record of work performed (which you would want)
It is very common to send $0 invoices. Some instances I can think of are receiving replacement goods / tracking if a service was rendered but not billable / making sure an account is zero'ed and you are fully paid up / etc
I sold a product and it was paid for by gift certificate or a special promo. I want to send a $0.00 invoice for the customer to see it and enjoy the feeling (Sweet! Free jerky/flowers/socks). It's great marketing and the customer will remember you the next time they want some jerky/flowers/socks.
This is a bit misleading - PayPal's 21-day hold only applies if you received the funds as payment for goods and services. Even in that case, the funds can be expedited to release in 3-5 days once the buyer marks the item as received. It's more for buyer protection than anything.
If you're in the US and receive money via a "Friends and Family" transfer, it's just as 'instant' as Venmo.
Do you think they're running loads of security tests all the while or something? I'd imagine a majority (if not all) of the checks are done up front- especially given it's 2015.
Pretty sure they get a nice bump on their balance sheet for cash "in-transit" - and keeping the timeframe to 3-5 business days only magnifies that effect.
On one hand I hate spammers and their ilk. On the other hand, I have to congratulate them on finding a neat hack around spam filters which is technically not breaking false claimant laws . The simple fix is to disable $0.00 invoices as any actual invoice for services not rendered is fraud.
It can, however, be useful to get invoices for purchases that were discounted down to $0.00. At the startup I'm with we often give new customers a $0.00 trial rate, but they still want invoices so their billing department can keep track. Of course, this billing system isn't using PayPal, but just a thought.
Not invoices per se, but if you buy something on eBay using only eBay gift cards, it processes as a PayPal "transaction" of $0.00. I've got a bunch of those in my email, always interesting to see "You sent a payment of $0.00 USD to X".
Actually a simpler fix is to hold $10 in the user's paypal account for each $0 invoice they send, and if the invoice is reported back as spam they keep the $10, otherwise after 90 days they release it back to the (potential) spammer. Doing this with funds in the account, rather than with a (likely) stolen credit card, works very well.
For accounts which keep an average balance > $minimum you could wave the $10 hold and just confiscate $10 every time someone reported their $0 invoice as spam.
Yeah, as much as I hate it, I always find myself appreciating the ingenuity that goes into these things.
Another similar spam hack (that unless I'm mistaken is also legal) is the recent plague of Google Analytics referrer spam targeting people who pay attention to their GA referral reports.[1] It has actually caused some issues given that the volume can be quite significant and can easily skew your overall numbers by quite a bit if left unfiltered.
All of these approaches are used to take advantage of the email deliverability rates of large reputable companies that send lots of email. Paypal is a new one, but Hotmail and Facebook have in the past been used for similar things. With Hotmail, you could define a custom "I've changed my email address" message, which would contain your spam message, and then it would send it to up to 5,000 "contacts" for you with near-100% deliverability. Some people automated this, and with that they were able send millions of messages per day. I haven't looked recently, but Facebook's "invite friends" feature has been used similarly in the past.
Which banks are offering throwaway credit card numbers? And where do you see wide scale deployment 3Dsecure for online checkouts? Certainly not in the US.
And what online payments processors are offering less than PayPal's 2.9% + $0.30? Seems pretty standard across the industry.
Citi bank will give a throwaway credit card number if you have one of their credit cards. I use it all the time, you can even set a date/limit on it if you want
From the perspective of PayPal, it's not that his personal email address is made public. It's that the fact that he has a PayPal account associated with that email address is made public.
It's similar to advice for "forgot password" forms not to acknowledge whether or not an email address or username actually exists--simply tell the user an email was sent for that account regardless.
Fair enough, but it's a reasonable guess that any given primary email address has a paypal account associated with it. It's also not really secret, because you share that information with people to allow them to send you money.
At this point, that's like trying to reduce flooding by not dumping a bucket into the river. There's so much spam out there that your only hope is effective filtering.
Oh, I've still got filtering, but it reduces how good/aggressive my filtering has to be.
It is indeed very difficult to keep ALL your email addresses from being publicly listed, so I use GMail accounts for the ones plastered all over the web, and let GMail handle the spam.
They acquired Venmo, which was pretty big for adding users to their ecosystem. They've kept it pretty quiet and have not tried to link the brands together, which probably says something about the current state of Paypal's brand.
I wonder what the reasoning is that PayPal allows you to 'send' someone $0.00?
I'm not really surprised at how terrible the support via Twitter is. I almost never use chat/email support these days with any large company-because of how useless it has become.
I've received invoices for $0.00 when receiving promotional items for projects I was a part of. Comes right in the shipping box, and I'm assuming it's an accounting requirement.
Invoices can contain credits as well as charges. In some cases these might net out to zero but there would still be a legitimate reason to send the invoice showing that detail.
If you're so interested in typing in spam links you might as well search up something like "cheap electronics online" in Google and start clicking around page 10.
yeah, I agree, but I think a lot of us work in similar situations, where bug tracking exists, but there's such inundation of bugs that we can lose track of some.
I guess I have sympathy for the PayPal team in this case. They're working on an extremely large product, with a huge user-base. I would imagine it would be very easy for bugs like this to fall through the cracks even with a "process" in place
I can also do that with DirectDebit (ACH for you yanks) transactions in the UK for example; brute force branch sort code and account numbers and when you "transfer money" (you can do 1p, or even cancel the transaction once the TUN code has been generated iirc) you get the name associated with the account.
There isn't much you can do about it, detecting an abuse of an invoicing system and locally blocking it is much preferable to the other potential outcome of not knowing or being able to confirm where the hell did that invoice actually went.
I've been getting the same emails for a while now. I sent to paypal through email and got no response. I also added on a topic I thought was relevant on their forum, and a guy there said he reported it and got a less automatic response than I did.
I saw the same sort of thing a few years ago with Google Calendar invite spam. If I remember correctly, I'd even get a meeting reminder with the spam message.
I actually got two of these messages while I was out for the holiday break. I don't work on the team that handles invoicing; but, I (among others) made them aware of this issue and they are definitely working on a fix.
The challenge, of course, is that there are plenty of legitimate reasons for sending $0 invoices and we don't want to artificially make our product worse for our many legitimate customers by going too far in trying to stop this spam.