Industry guru Dave Taylor offers free tech support on a wide variety of technical and business topics, including HTML, Apple iPhone, online advertising, Cascading Style Sheets, Web design, management, Unix, Linux, search engine optimization, online dating, Mac OS X, shell script programming and Microsoft Windows.

How do I know if an eBay message is phishing?

I buy and sell on eBay quite a bit, so it's really a pain to worry about possible phishing attempts from delinquents trying to get me to reveal my eBay account and password. How do I easily ascertain if a specific message is from eBay or a phisher?

Dave's Answer:

This is a perennial problem, and one that I still think the email tool vendors haven't really stepped up and really tried to solve yet. And I'm sure that hundreds of people every day are tricked by these phishing messages - email that appears to be from a known organization but actually leads to a fake site that is intended to just harvest login data - and get into trouble without ever realizing what happened.

Here's a fake eBay email message that I just got this afternoon:

It certainly looks legitimate enough, and if you click on some of the links in the "small print" at the bottom of the message, they will sure enough take you to the eBay site. Even if you crack the message open and view the source, the images are coming from eBay servers, and the sender address is member@ebay.com, which seems legitimate enough, doesn't it?

Heck, the first line says "eBay sent this message!" and follows with "Your registered name is included to show this message originated from eBay. Learn more"!

The first obvious problem with this message, though, is that I've never submitted a bid on the specific item being referenced, the "TOSHIBA RD-XS54 DVD Recorder w 250 gig hard drive", so rather than think "oh, I better answer!" I know to toss this message out.

The more critical way to see that it's phishing is to put your cursor over the "respond now" button and look on the edge of your email window. Good email programs will actually indicate on the window frame what address they'd take you to if you click on the link. I use Microsoft Entourage and here's what it shows on the edge:

Clearly eBay isn't going to be sending me to a server called oneota.net so that's a flashing red klaxon that this message is completely bogus.

But let's say that I didn't realize that, or my email program didn't show me the URL of a clickable link, and I clicked on the link.

First off, I might then suddenly get to a site that tries to install spyware or other bad things on my computer, but hopefully my Web browser or other antivirus / antispyware application would prevent that from happening. More likely, I'd end up looking at a page that looks completely identical to a legit eBay login page:

Looks quite legitimate, doesn't it? But again, there's a problem. If I go to the real eBay site, it remembers my login account name and this is blank. I might miss that, though, so here's a trick to avoiding any phishing scam, however sophisticated it may be:

Test the login page with a fake account and password pair.

Here I'll invent an account and password that I'd never use (my temptation is to use obscenities so that the phisher will have a bit of feedback on his attempt to defraud me, but that's another story!).

This phishing attempt is quite sophisticated, though, because I try the bogus account / password pair and it actually logs the information and hands it off to eBay itself. All of a sudden, I'm getting an error message that:

Your sign in information is not valid. Please try again.

but this time the URL in my browser's address bar shows me that I'm actually at https://signin.ebay.com/ rather than the oneota.net address.

Now I can safely log in if I think that the phishing query is legitimate, since I'm now legitimately on eBay (be careful with this sort of thing too, because I could register a domain like "signin-ebay.com" and a quick glance might well suggest it's legit).

But really, the best advice I can give you is to be skeptical and a bit less lazy. Every time you get email from a service, be it eBay, Paypal, your local bank, the Social Security Administration or whathaveyou, don't click on its "login" button, but just type in the URL of the site in your browser and log in from there instead.

I really wish this wasn't an issue, and I hate the waves of phishing email I get because they, of course, clutter up my mailbox and make it easier that I might accidentally delete a legitimate query or request for updating my data. But precious few organizations now send email asking for you to log in with clickable links at this point, and that's a good clue regarding how you can avoid problems.

Good luck. If you do think you've been "phished", log in to the site and change your account password ASAP!

Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Stumble Upon

Categorized: Auctions and Online Shopping (Article 5873)
Tagged: ebay, paypal, phishing
Previous: Sync Motorola RAZR V3c with Windows XP via Bluetooth?
Next: Samsung D500: how do I choose an MP3 as a ringtone?

Subscribe!

Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.

Comments

You can also download and install the free eBay toolbar, which informs you if you're on a spoofed eBay or PayPal site, as well as other goodies such as alerts when you've been outbid, when you've won an auction, etc.

You can download it free at http://pages.ebay.com/ebay_toolbar/index.html.

Posted by: eBay Player at January 26, 2006 10:25 PM

Not to be a goog-a-phile, but with my Gmail account I can get 100 emails a day in my inbox and MAYBE 3 spam emails a WEEK. A good spam filter should make a huge difference in problems like this.

Posted by: Marshall Kirkpatrick at January 27, 2006 2:00 AM

You mention:
>Heck, the first line says "eBay sent this message!" and follows with "Your registered
>name is included to show this message originated from eBay.

But notice...your registered name is *not* shown. The Phisher doesn't know it, unless you make it public in your eBay offerings or My eBay page...which, of course, you shouldn't do.

All email from eBay will include your registered name. Any you receive without your registered name should be plonked as soon as you receive it.

**
Captain Infinity

Posted by: Captain Infinity at February 1, 2006 5:33 AM

You can also immediately forward a suspicious email to spoof@ebay.com. They usually get back to you within 24 hours to confirm whether it's legit. I get so many, that I know what to look for - which is everything already said above. But I send it to ebay anyway and then delete it. Maybe if they get overloaded they'll put more effort into this continual problem.

Posted by: Jan at March 28, 2006 9:35 AM

I received a second e-mail for an unpaid item, which was never ordered, and it reads:
"eBay Unpaid Item Reminder for Item #190010839322"
I did not open this fake e-mail. Can you report this to any authorities and eBay?

Manfred Zysk
manfred5@canby.com

Posted by: Manfred Zysk at March 23, 2007 10:33 AM

All these are totally fake ,ebay always sends a message directly to your ebay account if they want to contact you for anything.Never reply or click on any emails which are sent to your inbox.90% of them are fake i get a whole lot of emails asking me to pay for an item which i have never bought.
Also when you look at those ebay ids which they use to send it from , those id's have been hacked .
So stay away from replying to any emails other than what comes directly in your My Ebay page.

Posted by: Steve at August 1, 2008 9:07 AM

I have something to say, now that you mention it, but ...

I do have a lot to say, and questions of my own for that matter, but first I'd like to say thank you for all your efforts on this Web site by buying you a cup of coffee!

I do have a comment, now that you mention it!