I fell for one of those eBay phishing scams that tries to get you to enter your account and credit card information. I always thought I was way too smart for that, but apparently I’m not. Luckily, I’m using a new enough version of Firefox that after I had only entered my username and password, it popped up a “this looks like phishing attempt” and I realized what I had done.
I immediately went to eBay and changed my password, so I’m pretty sure I’m in the clear.
For the past month or so I’ve been getting emails from eBay (the real eBay) complaining about my credit card expiring, and warning me that if I wanted to experience “uninterrupted service”, I should follow an included link to update it. The card they knew about expired at the end of April, so when a day or two after that, I got an email claiming that my account had been temporarily suspended because the card I had on file had been declined, I didn’t think very hard about it. I don’t know if the scammers just got really lucky on their timing (I almost never get these kinds of scam emails), or if there is some way they figured out that my credit card was expiring, but I’m planning to take it up with eBay.
I feel a lot more sympathy for people who end up losing big on something like this, now. I’m just really glad that it was only eBay and not, say, my bank, and that Firefox caught it in time.
Why would eBay send you any messages at all? They don’t usually do that, they just post a message on your “My eBay” page. I think all of the mesages you got were phishing attempts. eBay doesn’t care about your credit card.
No, the other messages were legitimate. eBay always includes your real name and user name in the emails, and a line about why they do so (the phishing email included the line about including my real name, but it wasn’t actually there :smack: ). And all the links in the previous emails actually go to ebay.com, and they listed the real last four digits of my credit card on file.
Let’s analyze this a little. A company with which you regularly do business using a password already knows your password. They also already know your account number and everything else about your account. And they have your credit card information also.
Don’t feel bad. I fell for something similar (although a bit more sinister) a week or so ago. We use YahooIM at my work, and a message popped up “from” one of my co-workers with a “check this out” link. I went to the link (a geocities page), where it appeared that Yahoo was wanting me to log in to view the content. I’ve seen similar “user only” pages on things like MySpace, so I entered my Yahoo account information. The “reasoning” went like: yahoo owns geocities, they’re rolling out a new (or maybe not so new) blog service, maybe D. wanted to share.
When nothing really came up (it just redirected to yahoo’s beta 360.yahoo.com page), I talked to D (the co-worker who sent the message). He said that he hadn’t sent anything, but had clicked a similar link sent by yet another co-worker. I started smacking myself on my forehead, and went to my yahoo accounts page (directly entering the URL into my browser address bar) and changed my password. I also sent a note to abuse@yahoo.com about the phishing page.
My guess is that someone was using YahooIM to spread the phishing attempts, and as accounts were gathered, those accounts were used to spread links to the phishers page to the users’ contacts.
You’re never too experienced or savvy to catch every phishing attempt.
They didn’t, directly. The email was to let me know that my credit card was no longer valid (which was true, and the real company had warned me that it was going to happen several times recently) and said that I needed to register a new card with them by going to the website and editing my account settings.
And the first thing that I was presented with when I went to do that was the standard login screen. So I logged in. Obviously, it was a fake login screen. But except for the address bar (which I foolishly ignored), it looked exactly like the real eBay login screen.
I don’t get it. eBay shouldn’t care about your card until it’s time to pay for something.
With millions of customers and cards, there are going to be hundreds of thousands of cards expiring every month. Why would eBay tie up their servers sending and receiving data on people who aren’t buying anything? If your card’s expired, it’ll be rejected when you go to pay and then you can correct it.
I haven’t shopped at eBay for years. I think every e-mail I get about expired cards is phishing.
From eBay: My Messages is the definitive, legitimate source for any email from eBay that affects your account. The bottom line - if an email affects your eBay account, it’s in My Messages. If you get an email that looks like it’s from eBay about a problem with your account or requests personal information and it’s not in My Messages, it’s a fake email.
If none of the other messages were listed in your My Messages, they were all fake.
I have also gotten messages from eBay when my card on file with them was about to expire. Those notices are legit. I sell stuff and keep a card on file so they can deduct seller’s fees.
Of course, I went to their site and updated from my eBay, not though any email. It pays to be suspicious, but in some cases the emails are real.
Although they may have been legitimate, do not assume that an E-Mail purporting to be from eBay that contains your real name is legitimate just because it uses your real name. Phishers have gotten wise to that too, and have somehow found a way to link your real name and E-Mail addresses to personalize their trawls. I’ve received them – real name and everything, but a bald-face phishing attempt (as evidenced by the disingenuous ebay.com-phishingsite.tk subdomain-posing-as-domain crap.).
The only way to be sure is to nuke it fr-- uh, that is, don’t click links in the E-Mails. Go to eBay and log in yourself and check “My Messages” by hand. If it’s legit, it’ll be there. If it isn’t there, is isn’t legit, simple as that.
Internet Explorer 7 has a phishing filter, and it saved my ass once. I received an e-mail that was (supposedly) from the bank that issued my credit card. It said something like, “We’ve noticed suspicious activity on your account. Please log in and check to see if these transactions are valid.” It helpfully included a link, and when I clicked on the link, I got a big warning that said, “This is a reported phishing site.” Yikes! I closed the window and deleted that e-mail quick!
I’ve since gotten other versions of that e-mail, naming banks that I’ve never done business with, so the first one was probably just a lucky guess. Still, Microsoft’s phishing filter probably saved me from getting scammed.
Back when Phishing was just starting to be publicized I almost got caught in a scam. I was still using AOHell, and about a month before I had a problem with my billing. So I get what looked like a legit email from AOL billing, I thought it was legit.
When I got to the page they were asking for way more info that was necessary to fix my account.* At this point I woke up out of the fog, and got out of there quick w/o entering any info. The webpage was in Russia.
*things like all my credit card numbers, balance and open to buy, mother’s maiden name. :eek:
Timing is everything. I sent a draft document to a colleague for his comment and about half an hour later I got an email apparently “from” him with an attachment and a header saying “check this”. So without further thought I double clicked on the attachment, which a moment’s hesitation would have shown me wasn’t a further draft, and which I normally would never have clicked on. Luckily our anti-virus software saved me from my own idiocy, but it was close. Sometimes the bastards luck out on timing. Don’t feel too bad.
