Scam e-mail seeks account info for eBay, PayPal, others
November 12, 2004, 5:00 am·
Posing as messages from major companies, fraudulent e-mails that seek personal information have been circulating on the Internet and have tricked some students into giving away their financial information.
Servicing about 125 million customers around the world, eBay has been a major target for "spoof e-mails"-- any false e-mails that ask for personal information, especially financial.
"They are a form of Internet-based identity theft -- this is nothing new," eBay spokesman Hani Durzy said. "It is not specific to eBay and impacts and affects any major site that has a credit card number on file or is a password-protected site." Other companies that have had problems with fraudulent e-mails include PayPal and Citibank.
"This has been going on for several months, and it's happening everywhere," said Joshua Beeman, an information security analyst at Penn. "What happens is that someone who has nothing to do with eBay forges e-mails to look like it comes from the company."
"It is getting more and more common in the last six to 10 months," Beeman said.
College junior Erin Smart was a victim of the eBay e-mail scam.
The e-mail "said that there was something about my account being compromised, and I needed to give them my information," she said. "It sounded like they were trying to prevent people from breaking into my account."
But officials warn that, as real as the e-mails appear, a healthy dose of skepticism can avert problems.
"Generally, people should be aware that any legitimate business would never send you an e-mail asking you to enter your password," Beeman said.
Tracking down the instigators of these e-mails is hard for companies. "They could be coming from anywhere in the world," Beeman said. "Preventing this kind of thing is very difficult."
Because it is so difficult to track the spoofers down, Durzy said, eBay's best way to prevent further identity theft is to "give our users the education they need to protect themselves."
The online auction company posts information about the hoax through e-mails of their own, community boards, eBay University -- the company's extensive user tutorial -- and its Web site. According to Durzy, the spread of accurate information "helps a great deal."
The eBay Web site outlines a number of ways to spot a fraudulent e-mail. The company tells users that "the 'from' field of an e-mail can easily be altered -- it is not a reliable indicator of the true origin of the e-mail."
However, as users become more informed, spoofers have come extremely close to mimicking the exact look of eBay e-mails, Durzy said.
"It had all the icons, and the URL address looked legitimate," Smart said. "It was just a link that I clicked on that took me there."
But there are other clues beyond the general appearance of the e-mails that can serve as alerts.
Some indicators are the general greeting of the fake e-mail, which often reads, "Welcome eBay User," and the use of a threat that the account is in jeopardy if personal information is not returned.
For those who accidentally send personal information, their best bet is to watch their credit card information very closely for several months, Beeman said.
Smart was lucky -- she received an e-mail nearly two weeks later saying that her account password had changed. The thieves did not purchase anything, and it is unclear whether they got her financial information. She closed her checking account anyway.
"It's better to be safe than broke," she said.