I buy and sell on eBay quite a bit, so it’s really a pain to worry about possible phishing attempts from delinquents trying to get me to reveal my eBay account and password. How do I easily ascertain if a specific message is from eBay or a phisher?
This is a perennial problem, and one that I still think the email tool vendors haven’t really stepped up and really tried to solve yet. And I’m sure that hundreds of people every day are tricked by these phishing messages – email that appears to be from a known organization but actually leads to a fake site that is intended to just harvest login data – and get into trouble without ever realizing what happened.
Here’s a fake eBay email message that I just got this afternoon:
It certainly looks legitimate enough, and if you click on some of the links in the “small print” at the bottom of the message, they will sure enough take you to the eBay site. Even if you crack the message open and view the source, the images are coming from eBay servers, and the sender address is firstname.lastname@example.org, which seems legitimate enough, doesn’t it?
Heck, the first line says “eBay sent this message!” and follows with “Your registered name is included to show this message originated from eBay. Learn more”!
The first obvious problem with this message, though, is that I’ve never submitted a bid on the specific item being referenced, the “TOSHIBA RD-XS54 DVD Recorder w 250 gig hard drive”, so rather than think “oh, I better answer!” I know to toss this message out.
The more critical way to see that it’s phishing is to put your cursor over the “respond now” button and look on the edge of your email window. Good email programs will actually indicate on the window frame what address they’d take you to if you click on the link. I use Microsoft Entourage and here’s what it shows on the edge:
Clearly eBay isn’t going to be sending me to a server called oneota.net so that’s a flashing red klaxon that this message is completely bogus.
But let’s say that I didn’t realize that, or my email program didn’t show me the URL of a clickable link, and I clicked on the link.
First off, I might then suddenly get to a site that tries to install spyware or other bad things on my computer, but hopefully my Web browser or other antivirus / antispyware application would prevent that from happening. More likely, I’d end up looking at a page that looks completely identical to a legit eBay login page:
Looks quite legitimate, doesn’t it? But again, there’s a problem. If I go to the real eBay site, it remembers my login account name and this is blank. I might miss that, though, so here’s a trick to avoiding any phishing scam, however sophisticated it may be:
Test the login page with a fake account and password pair.
Here I’ll invent an account and password that I’d never use (my temptation is to use obscenities so that the phisher will have a bit of feedback on his attempt to defraud me, but that’s another story!).
This phishing attempt is quite sophisticated, though, because I try the bogus account / password pair and it actually logs the information and hands it off to eBay itself. All of a sudden, I’m getting an error message that:
Your sign in information is not valid. Please try again.
but this time the URL in my browser’s address bar shows me that I’m actually at https://signin.ebay.com/ rather than the oneota.net address.
Now I can safely log in if I think that the phishing query is legitimate, since I’m now legitimately on eBay (be careful with this sort of thing too, because I could register a domain like “signin-ebay.com” and a quick glance might well suggest it’s legit).
But really, the best advice I can give you is to be skeptical and a bit less lazy. Every time you get email from a service, be it eBay, Paypal, your local bank, the Social Security Administration or whathaveyou, don’t click on its “login” button, but just type in the URL of the site in your browser and log in from there instead.
I really wish this wasn’t an issue, and I hate the waves of phishing email I get because they, of course, clutter up my mailbox and make it easier that I might accidentally delete a legitimate query or request for updating my data. But precious few organizations now send email asking for you to log in with clickable links at this point, and that’s a good clue regarding how you can avoid problems.
Good luck. If you do think you’ve been “phished”, log in to the site and change your account password ASAP!