On Getting Scammed

I Got Snagged By a Phishing or Spoof Fraud

Last evening, I read an article from the Times Free Press on “phishing” fraud on the Internet. This wasn’t news to me. I had read about it before and thought I was aware enough so that I would readily spot it if I encountered it, just as I daily recognize “419 scams.” Dutifully, I warned my wife to be alert to such scams because I always am concerned about her fiscal irresponsibility (Though, in truth, she stays on top of a lot more financial detail than I do. I marvel that she keeps sane as she juggles so many creditors with so little money.). She reassured me that she was always careful to not give out any account numbers or passwords online.

Then my mind wandered to an email that I had received a couple weeks ago from eBay. After a long time wanting to start selling items online through the world’s largest marketplace, I had finally made the leap. I had several auctions going, with a bidder on one, when I received an email alerting me that my selling privileges had been suspended because the credit card account I had registered had been declined.

This played right into the timing and concerns I had about selling online. Though I had sold books through Half.com, eBay’s lesser child, things are done differently on eBay. Plus, I had changed bank and credit card accounts along the way, and wasn’t sure just what information eBay had on file. I had seen some admonition to set up my seller’s account, but hadn’t bothered because of my Half.com experience had been successful and I had been an eBay buyer for some time before and since the changes.

Now I had active auctions with interested bidders, and eBay was suspending my privileges. I panicked and responded immediately to keep my auctions going. Following the link in the email to a page that was clearly in the eBay website, I entered my current credit card information. Quickly, I went to the auctions to make sure they were still active. Relief! They were okay. I relaxed and forgot the incident—until I read the article and noted the similarity in the modus of the scam.
I went to my email to check if it had originated with a legitimate eBay address. It seemed to, except that I had no other email from eBay Billing Department. And the address was a little strange, with numbers in it. In this day of .asp, “This email is an automated response. Do not respond to this address.” and endless, senseless web jargon in url’s, it wasn’t unthinkable that the address would have numbers in it.

I had learned in an earlier complaint to Yahoo! about a “419 scam” that originated from one of their addresses, that I had to use long headers to identify the source of an email. There I noticed that eBay had been misspelled in a reply-to address as “ebey.” Was that a trick of the cons to imitate a legitimate address, or was it simply the careless mis-stroke of an eBay representative?

I followed one of the email’s own links to eBay on how to protect myself from email “spoofs” and researched what eBay had to say about it. “Spoofing” and “phishing” are such innocuous-sounding words that they actually seem relatively harmless. It was significant to me though that eBay stated that any email they sent would be mirrored in My Messages at the eBay website. I didn’t recall having ever seen that message. To be sure, I went to look. But then I realized that I could have deleted it by now though, again, I didn’t recall doing so.

A knot had formed in my stomach by now. I felt pretty sure that I had been conned. I went to my bank website and pulled up the account activity. No sign of fraudulent activity, except for one unknown transaction of just $27. The newspaper article had stated that once the cons had your account information, they usually strike quickly. This was two weeks since the email, and the amount was small. Certainly not a quick strike. Perhaps they had tried large amounts and had been declined since I had almost nothing in the account anyhow. Perhaps now they were just dribbling it out, $27 at a time hoping that nobody would notice. Or perhaps they were just biding their time because they had so many from the scam that they hadn’t even gotten around to mine yet.

It was late Sunday night, so I forwarded the potentially fraudulent email with its long header to eBay asking them to confirm or deny its legitimacy. Then I fired off an email to my bank warning them of the potential for fraudulent activity—and promising that I would be there to talk with them in the morning. I printed out copies of the email and related web pages to document the legitimate appearance of the scam. I showed the pages to my wife and related what I suspected as I turned in for the night.

This morning, I rushed out to take her to work and meet with the bank. Armed with the pages, I explained what had happened. They had never heard of “phishing” or “spoofing.” The $27 charge turned out to be legitimate. They asked what I wanted to do. “Hold off canceling and re-issuing my card until I hear from eBay,” I instructed. The bank worker gave me her card and wished me well.

When I returned to the office, eBay had already investigated and responded. My suspicions were confirmed. The email was indeed fraudulent, and the appropriate authorities had been contacted. No regrets were expressed, only admonition to be careful—and more instructions on spotting fraud. I called the bank and canceled the card.

While I wait the two weeks for a new card, I have plenty of time to reflect on how good criminals have gotten at counterfeiting legitimate commerce. These are not the clumsy letters from Ethiopia that play on people’s greed as in “419 scams.” These are very legitimate-looking communications intelligently timed to coincide with legitimate commerce, even using authentic eBay addresses for email and websites. The graphics are eBay. The links are eBay. Everything looks and feels like the real thing. Only the credit card information is linked to the criminal endeavor. You think that you will spot a fraud when you encounter it. So did I.