EcommerceBytes-Update, Number 104 - October 05, 2003 - ISSN 1528-6703     4 of 8

Auction Users: Beware Hoax Emails

By Ina & David Steiner

Email This Story to a Friend

A sure sign of the holiday shopping season is the recent surge in spoof and scam emails. It's disturbing to think that this is one of the barometers we use, but since the beginning of September, we've noticed a significant increase in hoax emails being reported to AuctionBytes.

Scammers commonly disguise emails to look as though they are coming from eBay and PayPal, attempting to trick users into revealing password, banking and credit card information. Recently, ecommerce firms and financial institutions have also become targets. And MSNBC reported Friday on a hoax email disguised as a warning from the FBI

Perpetrators of hoax email attempt to lure recipients into clicking on a link embedded in the email directing them to a "spoof" log-in page, set up to look just like eBay or PayPal. The user unwittingly logs into the fake site with their user name and password and enters private information that is harvested by the scammers.

Some hoax emails are easy to spot - bad grammar gives them away:

Dear PayPal user!
At 09.27.2003 our company has lost a number of accounts in the system during the database maintenance.

Or this one:

Subj: Your acount will be dezactivated
From: (
Reply-to: (

Although you can get a good chuckle out of the more feeble attempts to gain your personal information, many scam emails that are very sophisticated, and extremely difficult to tell apart from the "real" notifications.

Types of messages
Sometimes the message sounds plausible, such as asking a user to update their eBay account information because of a security breach or because they acquired PayPal. Many times they use a sense of urgency to get you to respond right away, before you have time to think about it being a possible scam.

"We acquired another service, please log in and update your account information."

"We had a security breach, we will shut down your account if you don't immediately verify your account information, click on the link below."

"You will get a reward of 30% off service fees in recognition of earning a star, click here." (For eBay users, referring to feedback stars.)

"We regret to inform you that your eBay account will be suspended if you don't resolve your problems."

"Please download this security patch." (Usually posing as Microsoft.)

Here's one that's quite convincing:

"We regret to inform you that your eBay account has been suspended due to concerns we have for the safety and integrity of the eBay community.

Per the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. We may also take these actions if we are unable to verify or authenticate any information you provide to us.

Please note that any seller fees due to eBay will immediately become due and payable. eBay will charge any amounts you have not previously disputed to the billing method currently on file.

To activate your suspended eBay account please complete the form located at..."

Online payment services, banks, auction sites, ecommerce sites have all been targeted. Expect any company you do business with to become a possible target of a hoax email attack.

Some Organizations that Have Been Targeted
Various Internet Service Providers

What to Do
eBay has recently changed their warning from "We will never ask for personal information in an email" to "An authentic eBay email should include customer account number, customer name, first four digits of customer's credit card number, expiration date, personalized greeting."

We feel that it's best never to click on a link in an email to log in to an account - PERIOD. Always go to your Web browser, type in the URL of the site and log in as you normally would. Once you are logged in, go to your account information and update it from there.

On October 1, eBay announced that they had set up a Spoof Email Protection Tutorial on their site The illustrated tutorial teaches users how to spot a spoof email and fake Web site, as well as steps for protecting accounts and personal information.

Don't think that just because you have been on the Internet for a long time that you are immune, some very smart people have been tricked into giving out personal credit information as a result of these hoax emails!

For more information, an FTC Consumer Alert, "How Not to Get Hooked by a "Phishing" Scam," is found online at

About the author:

Ina and David Steiner are publishers of and have been writing about ecommerce since 1999.

You may quote up to 50 words of any article on the condition that you attribute the article to and either link to the original article or to
All other use is prohibited.