As covered in Part I, eBay's success makes it a huge bull's-eye in cyberspace. This grim reality can be countered and the threat defused with common sense precautions and modest effort.
Phishing in eBay's Ocean
The first and surest rule of self-preservation on eBay, and its related sites, is to never click on a hyperlink in an eBay or PayPal e-mail. Once you do this with a spoof mail, the hijacker can, at the very least, harvest your e-mail address. If you fill in the fields requesting passwords and other sensitive data on a fraudulent Web site, your account, and possibly your identity, may be hijacked. If eBay and PayPal did not use hyperlinks in their legitimate e-mails, this would not pose much of a problem but they do and they are not likely to stop the practice.
The majority of eBay and PayPal e-mails are promotional pitches. But some of these offer "discount days" for listings and other features that are useful to sellers, as well as important communications such as fraud alerts, changes in policy or personal account issues that must be addressed.
A safe alternative for people with spam-filtering or account problems, or who simply want to read all eBay missives, is to log into eBay via the "My eBay" link at the top of the site map or any auction page. Selecting the "My Messages" link on the left sidebar leads to all legitimate e-mails sent by eBay. The messages can be deleted so you can clean out the inbox. While this process does not offer the instant gratification of clicking on a link, it is the safest means of reading everything eBay has to say to you.
If you wish to live dangerously, or you can't control your curiosity, eBay now offers Windows users a free toolbar that flashes a warning when it believes a browser is pointed towards a fraudulent Web site. Named "Web Caller ID," the utility uses a behavioral detection mode that checks Web sites for long or convoluted URLs or recently registered domains. When catching a spoof site, the tool blocks a user's browser from the site.
To download the toolbar, go to the 'Services' link at the top of any eBay auction page, scroll down in 'Tools" to "eBay Downloads." The toolbar also links your desktop to the eBay site and can be used for searches on the site.
PayPal Issues for Buyers & Sellers
At this point, PayPal phishing attempts are nearly as prevalent as those targeting eBayers, but given that PayPal accounts are frequently linked to bank accounts, the stakes can be higher.
A hijacked PayPal account can make your money or goods disappear instantly, with little to no chance of recovery. PayPal does offer up to a $500 fraud refund to "qualified buyers," but the proverbial ounce of prevention can save you from this unpleasant experience.
PayPal's "Fraud Prevention Tips," along with a healthy dose of good sense, dictate several precautions before paying anyone through the service:
- Check the seller's feedback. If the seller has a history of negative feedbacks, think twice before placing a bid. Use extra caution if the seller is new, with few feedbacks.
- Make certain the seller is a "Verified" member of PayPal and has been a PayPal member for at least several months. To check a seller's status, go to the "Send Money" tab and start a payment to the seller. On the "Check the details of your payment" page, before the payment is sent, click on the seller's reputation link, for instance, "Verified Premier Member." Click on the link to find more information on the seller's current membership status.
- Do not send PayPal payment to any seller who claims to be "having problems." Avoid anyone who claims their PayPal account is not working and wants you to send payment through "a friend's" PayPal account or via an alternate form of payment, such as Western Union or electronic funds transfer through a bank. Do not complete the transaction, instead, report the seller to eBay as a 'Non-Selling Seller.'
- Do not pay sellers with greatly delayed shipment dates. PayPal rules prohibit sellers from shipping 20 or more days after receiving payment. In fact, if a shipment is to be delayed more than a week after payment is received, the seller should have a very good reason to be suspicious.
- If it seems too good to be true, it probably is Be wary of sellers who offer far below market prices on hard-to-find items, or who seem to have many of the same scarce items.
- Use extra caution on high-ticket, popular items. These are the favorites of scammers.
- When in doubt, send an e-mail. In any dubious situation, it is wise to e-mail questions to a seller before placing a bid, particularly regarding payment and shipment terms. If a seller is offering multiples of popular or difficult-to-find items, ask for and check the legitimacy of, his supplier. If the seller says, 'No way, scram,' do just that.
The Mutating Phish
Phishes are mutating germs, quick to adapt to preventive measures. Rather than account suspension threats, some recent phishes use warnings. A spoof e-mail I received in early April mimics a legitimate PayPal security e-mail but with this header: "You have added a new e-mail address to your PayPal account." The e-mail text continues, "if you did not authorize this change contact PayPal Customer Service at..." There follows a hyperlink only slightly dissimilar from the legitimate PayPal security link, and further advises, "NEVER give your password to anyone. ONLY Log in securely at " A second fraudulent hyperlink follows, again, only slightly dissimilar to the real PayPal link.
As with eBay, the only sure way to bulletproof yourself is to never click on a hyperlink in a PayPal e-mail. Instead, open a new browser and type in the PayPal URL or use your Favorites to access the site.
A more direct threat to eBay sellers are thieves who pay for goods with hijacked PayPal accounts. A first precaution is to double check PayPal e-mail payment notifications on the PayPal site particularly with buyers who show few eBay feedbacks. Then check the buyer's PayPal registration history and status. If anything appears amiss, contact PayPal This is not foolproof, as the victim may not yet know their account has been hijacked, but it is a viable first line of defense.
Most Wi-Fi or wireless Internet connection problems stem from errors of omission. Nearly all Wi-Fi routers come with security features that change the systems default settings, conceal the connection from others, require passwords for network access and encrypt the data sent over it. The problem is that many Wi-Fi users fail to secure the system with these features.
"To some degree, most consumers are intimidated by the technology," claims Roberta Wiggins, a wireless analyst at the Yankee Group, a technology research firm.
SBC, the top provider of digital subscriber line (DSL) connections, sends out its routers with encryption turned on by default. But SBC accounts for only about 10 percent of routers in use most other users must secure their own systems. Failure to do so allows anyone with a Wi-Fi-enabled computer to tap into an unsuspecting user's base station from within 200 feet, and, with advanced antennas, up to a quarter-mile away. It is wise to work through the procedures necessary to activate a Wi-Fi system's security features before using it.
Even with a secured home system, there are Wi-Fi perils on the road. Wi-Fi connections are widely offered in coffee shops across the nation. Large national chains such as Starbucks take steps to protect their networks, but smaller coffee shops often leave their connections wide open. It is best to enquire about security before using a Wi-Fi connection in a retail store or hotel. Also, use caution at institutions such as college campuses or any location that does not monitor users.
The Escrow Trap
EBay recommends that you use an escrow service for all purchases above $500. Buyers seldom ask sellers with good feedback for an escrow transaction, even into four-figure purchases. But if you are purchasing a vehicle or any other high-ticket item, particularly from a seller with limited feedback, you may want to consider escrow.
The way escrow works is the buyer deposits money in an escrow account and only then does the seller ship the item. The money is not released until the buyer receives, and is satisfied with, the item.
For domestic trades, eBay approves Escrow.com, a licensed, audited escrow company incorporated in California, plus four other international services listed on its site. Stick to these companies when using escrow on eBay. Using an escrow service recommended by the seller is asking for trouble.
According to a CBS News report, more than 500 fraudulent escrow service sites have been identified in the past year, with more added daily. EscrowFraud.com, a site maintained by a former victim of eBay fraud, keeps a current list of phony escrow sites and other useful online security information. It maintains that 99 percent of all escrow services, especially those recommended by others, are frauds.
If you feel you must use an off-eBay escrow service, Tara Flynn of the Federal Trade Commission makes these common sense recommendations:
- Determine that the service is bonded and licensed by a state.
- Make certain there's a customer service phone number; call the number to make certain that someone answers and that they can supply verifiable information regarding their location, business practices and policies.
- Never pay for an auction purchase with cash. If the seller demands cash payment, turn away from the deal and don't look back.
- Never pay for any auction purchases with Western Union cash transfers. Your money will vanish the thief, untraceable.
- Never send payment into E-Gold, or E-Bullion Networks, or Evo-Cash or 'E-dinar' type international currency transfers.
- Never make a wire transfer from your bank account to what you think, but cannot verify, to be the account of a legitimate escrow service.
- If your eBay, or any auction site, user ID is your e-mail address, change it. Hijackers use robots to search auction sites for e-mail addresses to 'scam and spam.'
- Be wary of auctions that require "bidder pre-approval." A note at the top of the auction will read, "This auction is restricted to pre-approved bidders or buyers only. E-mail the seller to be put on the pre-approved bidder buyer list." All too often, this is a ploy to get the potential victim out of the eBay system where they are advised to pay by Western Union or a bogus escrow service.
An Ounce of Prevention
If you store sensitive data on your computer or conduct commerce of any kind on the Internet, you should protect your computers with firewall to block intruders.
This holds doubly true for broadband users their PCs are constantly online, and thus vulnerable to intrusion by hijackers. The major anti-virus software companies such as Symantec and McAfee offer a firewall with their security software. Also, companies such as Zone Labs offer downloadable firewalls as freeware for personal use and for small fee for businesses.
Many large Web sites place tracking cookies or spyware in the registry and files of visitors PCs in order to monitor and harvest a user's surfing and buying patterns information that is often sold to interested parties.
Thieves and malicious hackers do the same for more nefarious reasons. Recently, a few hijackers have been loading keystroke-logging programs onto the PCs of visitors to their fraudulent Web sites in an attempt to catch bank account numbers and other sensitive data.
It is advisable to download software that can find and root these cookies out of your computer if not for privacy's sake, then for security's. AdAware by Lavasoft, Microsoft's AntiSpyware and other free, downloadable spyware detection and removal utilities can handle this task.
As covered in Part I, during an auction or following a purchase, thieves frequently send generic e-mails to the prospective victim recommending an escrow service they "use all the time." The logos are mirror copies from legitimate sites; the copyright dates back four or five years, there are links to the FBI and other agencies. Everything looks spiffy and legitimate. Nevertheless, the chances are high that your money will vanish into a bank in Montana or Montenegro, disappearing forever.
Be aware that thieves frequently target under-bidders, usually with private e-mail rather than through eBay's "Second Chance Offer" system. This is to get the potential victim off of eBay where they can be more easily snared into a phony escrow or other scam.
Where Are the Hijackers?
Thieves, like horse manure in 1900, are everywhere and anywhere. The majority lurks in the United States and Canada, but disproportionate numbers of phishes and hijacking attempts are traced to Eastern Europe with Romania being a hotbed, followed by the Ukraine and Russia, according to Internet security groups.
Western Europe is hardly trouble free; other sources of fraud activity are United Kingdom, Italy, Spain, Germany, Austria, Netherlands and Greece. Scammers from Asia and Africa also contribute to the mix. Of course, the vast majority of eBay buyers and sellers from international locations are legitimate, but an inappropriate communication from overseas, which is much more difficult to trace, should bear special scrutiny.
Dangerous Payment Methods
Phishers, escrow fraud artists and general Internet hijackers try to herd buyers into several payment methods, all of which you should avoid:
If You Have Been Victimized
If you have fallen victim to identity theft scams, including those involving credit cards, bank account numbers as well as eBay and PayPal account hijacking, there are several nonprofit organizations that offer advice and counseling. Two of the largest are The Privacy Rights Clearinghouse and the Identity Theft Resource Center, both located in San Diego.
Further, the FTC recommends that victims contact the police as well as the fraud departments at any one of the three major credit bureaus Equifax, TransUnion or Experia to place a fraud alert on their files. Monitor your credit rating regularly for at least a year.
The above remedies should not be necessary for those eBayers who exercise the proverbial "ounce of prevention." To do so should keep your eBay experience profitable and fun.
Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!