I’ve been trying to sell my Samsung S3 on eBay since I now have a company phone (an S4 Yay!). The first time I listed it the high bidder said that they ‘bid on accident’. So I re-listed it. Nobody bid on it the second time but I had a guy contact me after the auction was over saying he wanted to bid but missed the deadline. Determined to sell this thing before its worthless I listed it a third time for $50 less. There was a lot of interest in it and I was pleased yesterday when it sold for $300.
Immediately after the auction I get a message from the high-bidder via eBay messaging saying they had a few questions for me and could I send them my phone number. They helpfully provided their email address and mailing address in Indiana in the eBay message. I simply send them the invoice via the normal eBay channels. They send me another message via eBay asking me how much they owed and that they needed my phone number to confirm in Paypal that they were paying the correct person. I just send them the invoice again. Then in the middle of the night another plea for my phone number and the amount that they owe.
So this morning I make a mistake. Thinking this is someone’s Grandpa that doesn’t know how to use eBay I go to my copy of the invoice in my email and forward it to the email address they provided stating just click on this button and send me money via Paypal. Now they have my email address. Almost immediately I get an email from Paypal stating this person has sent me a payment but the money will not be in my Paypal account until I provide them a tracking number for the package. In the message it states that I’m to send the package to a Nigerian address and they are paying me an extra $100 for this change in shipping. Then I get a message on eBay from the customer telling me a story about their boss being in Nigeria and would I please overnight this phone to the boss there. Irritated and in a rush to get to work I login to eBay and message the person saying ‘Sorry I’m not sending this phone to Nigeria.’
I get a couple more emails while at work. One from eBay stating that my account is going to be suspended if I don’t immediately ship this phone. Another from Paypal stating basically the same thing. I read and ignore them. Then another message from this person pleading for my phone number. I take a brief break for lunch and I start looking more closely at these emails. I realize quickly they aren’t from Paypal or eBay. They are very good phishing emails. They are professional looking but the grammar is not right. The From address isn’t @ebay.com or @paypal.com. When I look at the headers for the email I see they were sent from a Gmail account. Of course not the Yahoo account that my ‘customer’ had provided me.
I’m fascinated. I’ve never been sent real phishing emails before. I’m preparing security awareness training at work and these are good examples for my students. I study them and wonder why someone so skilled didn’t spoof the From email address. I login to eBay and type a message to my ‘customer’:
Dear (with the Gmail address from the email header):
Stop trying to scam me. Stop sending me fake emails from eBay and Paypal. I will not be sending you any phone. Find an old lady to rip off instead.
Your Worst Nightmware
I pause and then I delete it. No need to make this scammer angry or send them a challenge. Whoever it is does have my email address which will lead them to some personal information on the Internet. Instead I file a complaint with eBay. Its less satisfying, I will never know the result. I offer to send them the phishing emails but know I’ll never hear anything and will be lucky if someone even reads my complaint.
So beware. This could have ended with me sending this expensive phone off to Nigeria and never receiving a penny for it. eBay and Paypal are great resources for selling/buying and transferring money around but be careful. Setup a different email account for your eBay transactions than for Paypal. Use the messaging tools within eBay and Paypal rather than your email accounts when dealing with strangers. Use strong passwords for both accounts. Don’t use the same password for both even if the email addresses are different. Strong passwords are at least 8 characters in length and include upper AND lower case letters and at least one number and one special character. I know this makes it hard to remember. You can come up with an acronym for the password or get an Ironkey to store them on. Or if you are using them at home and have a safe place to keep them, write them down on a piece of paper (don’t do this at work!). And maybe most importantly don’t let someone in cyberspace bully you around. Use your common sense and use the tools within the eBay and Paypal sites to contact their support teams if something doesn’t seem right.
If you aren’t sure if an email is for real always look at the headers. The headers are things you can’t normally see on an email. It shows you the trail that the email traveled over the Internet. It will show you the real email address that will get any replies you make to the email – its not necessarily the one in the From that is easily visible on an email. How to find the headers depends on your email provider. A simple web search will tell you how to look at the headers in the email client or web mail service that you use. Avoid clicking on anything in an unsolicited email. And grammar counts! If it sounds like it was written by someone for whom English is a second language, it probably was. You can bet that eBay and Paypal have the proper resources available to get their grammar right when they contact you.
Phishing email I received after I foolishly emailed this person instead of using the eBay messaging system.
The header from the suspension email above. This is with Gmail web mail.
Time to get a new email address. My penance for foolishly sending an email to a cyber stranger.