This is sort of a generic problem with all remote voting schemes, at least the non-cryptographic ones. The only real defense I know of is to permit voters to cast multiple ballots with only the last one counting. The idea here is that I would give the attacker my vote by mail ballot and then cast a "real" vote later, either in person or remotely [note that this would require treating ballots as uncontrolled items, which, as I said, isn't always true.] This doesn't seem like an entirely satisfactory defense for a number of reasons. First, it depends on a large fraction of people selling their votes deliberately trying to cheat the buyer. In practice, it seems likely that many won't, in which case the attacker will have a pretty high success rate. Second, if the attacker has any way of knowing whether people voted multiple times—even without knowing how they voted—then they have an opportunity to punish defectors (or at least not pay them). It probably only takes a small probability of that happening to deter defection.
Now, it could be that the convenience of vote-by-mail is worth enabling this kind of attack. That's a policy cost/benefit type question, but from a technical perspective I'm not sure how to remove this attack with conventional (i.e., non-cryptographic) systems, so it's something that needs to be considered when deciding how much VBM to have.