We don’t normally bother posting phishing emails on here – there are so many, we could post nothing else… – but I’ve had a couple in the last day or two that have been rather better than usual.
click to embiggen
I must admit, I nearly fell for this one. It has my ID, and the corresponding email address, and it relates to an item I’m actually selling. There are plenty of giveaways: the nonsensical “from” email address, the buyer’s 0% feedback with a score of 17, and most obviously, the link that doesn’t go to an eBay address. But sellers in a hurry could quite easily click on this one, I think: worth keeping your eyes open for.
click to embiggen
This one’s rather less convincing, and if I hadn’t been having an ongoing battle with eBay France to get them to actually take some money off my new card, I probably wouldn’t have given it a second glance. But the fake eBay invoice is a new one on me, and the fact that it says your account’s in credit and you don’t need to pay anything is wrong yet pleasant – a combination that will surely get some people to click just out of curiosity.
10 Responses
Daily Telegraph today
https://www.telegraph.co.uk/finance/personalfinance/consumertips/jessicainvestigates/4680390/Jessica-gets-to-the-bottom-of-eBay-sax-scam.html
Well, I’m glad phishers are finally getting hip to customized phishing e-mail attempts. Like any e-mail campaign, personalization gets you better results. What is troubling is how these phishers were able to retrieve the result data to do the personalization. My thought is that they take over one account then use it to gather this type of data. Then they do a second round of phishing with better information. I use a form filling software (AI ROBOFORM) which never fills in my login & password on a different site, so I’ve been saved several times!
1#
£130 to ship a saxaphone????
come in a lead case did it?
I dont think you can get a Sax in a jiffy bag and send via smallpacket
I find it amazing that there are people out there that would be willing to post anything to Nigeria, never mind a £2k Saxophone.
…How could anyone fall for such an obvious scam. They do say “A fool and his money are soon parted”
I will admit I fell for a phishing scam once. It was about as brilliant as these.
Three years ago I got an email from PayPal telling me one of my credit cards had expired and I needed to update the details or they would remove it from my account (almost identical to a legitimate email I’ve seen many times). It was also true that one of my cards had recently expired so I was expecting this email. I logged into my account but realized I didn’t know the new expiration date or something. Then it donned on me to check the link like I do with all the other emails. South Africa.
I tried logging back in but I was shut out. I assume it was an automated system that changes the password within seconds or minutes so they can drain it later. Fortunately I have six other email addresses associated with the account and they didn’t get the primary address. I logged in with the primary and reset the password on my compromised email. Nothing had been changed and no hacks since.
I also received your first phishing email but that was also three years ago. It had an actual item I was selling and everything but went to a non-eBay address. I did tell them what a great job they did at looking legitimate in their login form. The part that tipped me off is that it went to my PayPal address, not my eBay address.
If anyone is curious on how to get any seller’s PayPal address all you need is a developer’s account with eBay and a known completed listing of the seller.
re #6
If anyone is curious on how to get any seller’s PayPal address all you need is a developer’s account with eBay and a known completed listing of the seller
I think you will find you will also need a TPA for the seller ID used ?
I’m all for phishing, darwinism in action lots of my competitors will fall for it.
More seriously, unless you a internet virgin I don’t see how you can fall for a phishing scam these days, no matter how good it looks, never follow links from your email client, always use a separate browser, preferable sandboxed and cleared daily.
I would point out that the nonsensical looking 0.0% (17) feedback score is now perfectly possible on eBay, since they only use 12 months of data to compute the percentage, but keep the lifetime totals of feedbacks.
@ # 7
I’m not sure what you mean by TPA but if you are referring to the authorization token that a user must generate, I don’t need theirs. For instance I’m able to confirm that the address Sue received that first phishing email is her PayPal address. I can also confirm it is her eBay address as well. Yet she has never signed up for or authorized any of my services.
Chris does exactly the same thing having his eBay and PayPal addresses the same.
The eBay API gives people way too much information in my opinion. Hope I’m not giving too much information as well.