Online Identity Theft

Phishing Email Scams

by Mat Bright
founder of

Theft of internet users' identities through spoof email and spoof web pages is a growing internet fraud crime now commonly known as Phishing. Read through this article and become aware of what is going on and how to protect yourself.


Sponsored by Everyman Hosting
UK Web Hosting



If its not a chance to win a new car, its a notification of 'system maintenance' or 'account verification'. The problem is, that none of them are likely to have actually come from eBay or Paypal. They are simply 'spoof emails' which are aimed at convincing us to give up our login and/or credit card information. The really worrying part of the whole thing is that they look so convincing, and some people are falling prey.

Spoof email (and the spoof web page that they sometimes refer you to) are nothing new; its the content that changes frequently and convinces many to part with their critical information. There are two kinds of victim, those who have had their identity stolen in this way, and those who have lost out to a stolen identity.


What is a Spoof Email and Spoof Web Page?

Quite simply, a spoof email is one which has been doctored to look as though it has come from a particular sender (such as eBay or Paypal), when in reality it has come from someone completely different. A spoof web page is one which includes text and graphics stolen from the genuine web site (such as eBay or Paypal). Since the spoof email refers you to the spoof web page, we'll look at those emails first...

When you look at the email in your inbox, or when you open it; it will show the sender as a legitimate email address (such as, but on further investigation it proves to be a complete fabrication.


How do I recognise a Spoof Email or Phishing Scam?

This is made difficult by three distinct factors.....

1. the ease with which almost anyone can compile an email and almost all its header information due to a security loophole in the design of SMPT mail servers. The sender (as shown) in your mail program's inbox is absolutely no guarantee of its real origin,

2. by the way in which URLs (links) can be written in order to convince you that you are clicking on a genuine site link,

3. the ease with which genuine graphics can be stolen from genuine site pages and/or shown in an email just by including the relevant html code.

Email Headers

You'll hear plenty around the internet about email headers and see examples of spoofed email headers, but it isn't a definitive way of identifying a spoof email. The spoof report departments of genuine sites (eBay, Paypal, etc.) place a lot of emphasis on their need for the full email with header in a report of a spoof, but this will not necessarily tell them its real origin. They will most likely have to communicate with the ISP(s) and servers that handled the email as it traveled around the internet, and who can trace its origin by viewing their detailed server logs. This is not to say for certain that the scammers would have been clever enough to spoof the whole email header, sometimes there are clear indications that the email has not come from where it should have.

Links in an email

Take a moment to look at the whole URL (web address) that the link points you to, when you position your cursor over the email, the full URL should be shown in the bottom edge of the mail program window. If you cannot see it, right click the link, copy and then paste into Notepad (or other text only editor), where you'll be able to view it without inadvertently clicking on it and arriving somewhere that you'd do not want to be.

Links and their URLs can be written in many ways to disguise the actual address you'll arrive at if you click on it. For instance.....

by preceding the link to the spoof web page with the first part of the genuine site's URL (such as '' or '')
followed by
almost any string of characters of almost any length
and then
the '@' character
followed by
the URL of the spoof web page

.....this will instruct your browser to divert you to the spoof page and will NOT send you to or through the genuine site. You'll notice other examples of this kind of forwarding when clicking on a link in a search result in Yahoo.

An example of this kind of disguising of a link is.....>jd7788@wWw.MIllerSMILes.Co.Uk

which would actually take you to our home page! You'll see in this example, that the actual URL that you'll arrive at is written after the '@' character. And scammers usually try to disguise their part of the URL further by mixing capitals with lower case and using random letters, numbers and characters in the spoof page name. A copy of a recent spoof email forwarded to me included the following link (which sent you straight to a spoof web page where account information was requested).....

This URL was too long to fit on one line here, but doesn't it look real? Can you see the first '@' character, this is where the real URL begins, and where you are actually sent. The spoof web page was removed shortly after the spoof email was sent to Paypal, so it will take you nowhere now.

It is really best that we NEVER click on a link contained in an email just to be sure, unfortunately eBay and Paypal put a lot of links into many of their emails and this is gives rise to the potential to fall victim. If there really is any genuine request from eBay to communicate information with them, you should log in (by entering the relevant eBay URL directly into your browser address bar) and interact with the site when you arrive there, and by those means alone. That really is the safest way of doing it.

It is a fact that with the right expertise or knowledge, a scammer can spoof the entire header and links with a few rare exceptions. It is important that we look directly into the email body itself.....

First, look for spelling and grammatical errors (many spoofs are written by non-english speaking persons, errors are common).

Second, if the email has a form to complete for any information (including your user name and password, bank details, credit card details, etc, etc.) then it is NOT from the genuine site. None of the genuine sites would do this.

Third, if we find that it requests us to confirm any login information (such as user name, password and any financial information like credit card details), it is most likely not a genuine email. If any site needs you to confirm details, simply type the known URL for that site into your browser, login and interact in that way alone, if there is any genuine need to verify any information, you will be asked to do so by some message when you are logged in.

Fourth, if the email advertises a competition, or tells you that you've been selected for some prize or accolade, don't believe it, and do NOT interact with anything within the email. You can confirm any of that by going to their genuine web site and logging in as described above.

If you are uncertain, contact the support department of the appropriate site (in the case of eBay and Paypal, you will have to log in and do this through a page on their sites). You should copy and paste the full email with header into your query as well.

Even better - change any notification preferences in your account to not receive any optional notifications at all, that way you'll know what sort of emails to expect.


How do spoof emails work to commit fraud?

If the email does not present you with a form to enter sensitive data, will direct you to a Spoof web site (which will look just like the genuine article by using the graphics from the genuine site). Either way, you will be asked to enter your login info and/or credit or debit card number(s); once this is done, the sensitive information will be relayed to the fraudster(s) by the clever use of some code in the email or web page.

With eBay spoofs, the sender will want to acquire your login password so that they can take over your account, and use it to offer items for sale (usually high value) to other users, who will pay and never receive the goods.

With Paypal, they'll want your login details so that they can take control of your account; they may utilise any monies in the account for their own use and gain access to use of your credit and debit cards through that Paypal account.

These are very serious acts of fraud, and there have been many examples of successful Account Hijackings.


Now that we've identified the email as a spoof, what should we do?

First of all do NOT proceed with any request that it makes, do NOT enter any information and do NOT click on any link in the spoof email.

Whilst most people would probably just delete it, but it is important to remember that the only way to bring an end to spoof email is to report it to those who can do something about it. The email should be reported to the organisation that it pretends to be from (in this case eBay).

eBay/Paypal have their own department which deals with Spoof emails, and which takes great steps to make sure that any web site that the email may point you to is removed/closed down as soon as is possible. They will also report such emails with the sender's ISP(s) in an attempt to trace and prosecute anyone involved in the spoof email scam. They will also have the user of the ISP connection that sent the spoof disconnected and their account will most likely be terminated (no ISP would allow the continued supply of service to any of their users involved in this kind of scam).

eBay or Paypal will require you to send the header and email text ('forward' the email, or use copy and paste from the message source, so that they get the header and email body) to or Paypal (Paypal use a web form to report, as opposed to an email for eBay), and they will respond with a confirmation as to whether it is a spoof or not and what they are doing to counteract it.


What if I've identified the Spoof too late?

If you've fallen the victim of a spoof email and/or web site, then you need to act very quickly. Complete the following in the order shown...

  • Call your Credit Card company and tell them that your account may be compromised (do everything that they tell you to do). If you had more than one card registered with the sites involved, you will have to call each and every one of them.
  • Call your bank tell them that your account details may have been compromised and how this occurred (do everything that they ask you to).
  • Change passwords on the relevant sites. If you cannot log into your accounts then the fraudsters may have already changed the passwords, go to the next step...
  • Email the web sites involved for eBay -; and for Paypal, click here for the relevant page. Not only should you tell them that your account may have been compromised, but you should also include the header and email which led to the problem. Important: the spoof email should be 'forwarded' to and not 'sent', that way they will get the full header and email, and you can still include a message.
  • Make a report to the Police (yes, even though it is a long winded and frustratingly time consuming process).


Be prepared! Prevention is better than a cure

Follow these rules to prevent disaster from striking...

Do NOT use your User Name(s) or email address(es) in any forums or discussion groups, use a completely different ID instead and use a 'disposable' web based email address (such as Hotmail or Yahoo). Many user names/email addresses are picked up from these groups by fraudsters (especially the Usenet groups which are almost completely unmoderated and full of personal abuse and spamming) and subsequently receive a plethora of spoof and spam emails.

Do NOT use the same password for more than one site. This is very dangerous, if for example, you had used the same password for eBay and Paypal, then it would take the fraudster a few more seconds to completely wrap up your auctions and accounts. Many people have used the same password over and over again when they really should not.

NEVER, and I do mean never, click on any link, or complete any form in any email whatsoever! That applies whether it is genuine or not, and this is because any link can be disguised with a little knowledge of HTML code ( may look like it will take you to eBay UK, but if you click on that link now, you'll arrive somewhere completely different). Its best to open your internet browser and manually type in the address of the web page you want to go to.

NEVER supply your user ID and password in response to any email whatsoever. eBay and Paypal will never ask you to do this, so DON'T DO IT!!

Always sign up with any online payment scheme (such as Paypal) using a private email address which no one knows about. That way, while a fraudster may gain your password, they will not be able to match it with your user email (to log into Paypal - you need to input the email address you used to sign up and your password). You can add other email addresses to accept and send payments with once you've signed up and set one of those as your default email address, that way your log in email address will remain undisclosed.

Always use a secure sign in, reputable and responsible sites offer this, if they don't - DO NOT USE THEM! eBay has a very poor policy on this; you will always be offered a standard sign in on their log in screen, with the secure sign in as an option. Amazon and Paypal, however, only have a secure sign in, and once signed in, you are contained within a secure connection.

NEVER write down your password(s) OR share them with anyone (hell hath no fury like a friend/partner scorned)!

Always ensure your physical privacy when entering your User ID and password - make sure that no one can see what you are typing.

BE AWARE of the address of the web site that you are visiting and be satisfied that you are at the correct site before interacting with it in any way. For instance, if you were at the sign in page of (US site), the address will be Get familiar with those site address prefixes and if you need to be sure that you are at the right site in the first place, simply enter the address of the site's homepage in the address bar of your browser (e.g.



To avoid becoming the victim of an already hijacked ID on eBay...


Verify that the seller is genuine

As a registered user with eBay, you've found something that you want to bid on, but how can you be sure of how genuine the seller is? You don't want to be conned out of your money now do you?


How long have they been dealing on eBay?

Everyone has to start somewhere on eBay, and while we should not shun 'newbies' extra caution should be exercised.

The feedback page of every user will have an ID History link which takes us to a page detailing when the user joined eBay and details of any ID name changes.

If they are new then consider contacting them by using the ask the seller a question link on the item page and ask them for a contact telephone number to discuss the item further (any user who will not give you a telephone contact number should be avoided).

If there has been a change in the user name, then use the ask a seller a question facility and ask them for a contact telephone number to discuss the item further (again, avoid anyone who will not give you a telephone contact).

If you bid and win the item, only pay by using a credit card or Paypal (Paypal offers a secure method of making credit and debit card payments online, join up by clicking here). By using either of those payment methods; if you do not get the goods or there is a problem with the goods, you can raise a query and get your money back. If the new user demands payment any other way - such as cash - understand that you may have no way of recouping your payment.


Let's take a look at their feedback...

The feedback system is there to let us know how other users have rated their dealings with this user in terms of Product, Delivery, Communication and Description. There are three forms of feedback, Positive, Negative and Neutral.

What to look for:

The ratio of positive to negative feedback is an issue as is the frequence of any negative or feedback. Generally speaking a minimum of 97% positive feedback of their feedback total is acceptable and may not lead us to look further. However, this is not the case when a quantity of negative and/or neutral feedback has been left against more recent transactions. If for instance the user had a feedback rating of 100, but there were 5 negatives left in the last month, we should investigate further, it may well be that their ID has been taken over by a fraudster.

If there is a quantity of negative/neutral feedback that gives you concern, then take a look at the relevant entries on their feedback page. Consider the reasons given by other users. Also, take a look at the feedback rating of the users that have left negative/neutral feedback, there are those who use the feedback system inappropriately, such as those who leave retaliatory feedback (this is a frequent problem) and those who have a terrible feedback record and feel that they have nothing to lose. You should take all things into consideration, and if you have any concerns, contact the seller using the ask seller a question link on the item page and request further contact information (in eBay unfortunately, you can only request a user's full contact information after winning their auction, but it does not prevent you from asking before bidding).

Also, check for a period of inactivity (many account hijacking cases occur on accounts that have been inactive for a month or more), again make further enquiries until you are happy that the seller is genuine.


Use a software tool...

A software tool, such as Hammertap's Bay Check Pro, is an inexpensive and essential utility to aid you in reviewing a user's feedback. It enables you to easily view all feedback, and also to filter out and view negative and neutral feedback alone, which is something that is not available on eBay itself. Hammertap also produce deep analysis software for a deeper view of a user's history.


What do they normally sell?

We've talked about how fraudsters can take over someone's eBay account to sell items, accept payments, but not send the goods. The goods involved in this are usually high value items, and if they are not what the seller usually sells, you have good reason to be concerned.

We can view previous items sold by that user by using the advanced search facility in eBay, or by using the previously mentioned Hammertap Bay Check Pro.


Is the item properly described?

Descriptions are the most important part of any item for sale on eBay and should indicate a full description of the item and its uses as well as its condition and its history or details of previous ownership and use (unless it is brand new and factory sealed). If there is anything lacking in the description, use the ask the seller a question link on the item page and ask for further detailed information and/or a contact telephone number. Any user who will not give you a telephone contact number should be avoided.



Reports of online auction fraud are prolific around the internet, if you want to avoid becoming another statistic, you need to take care with the emails that you receive AND with whom and how you deal on the internet.



Useful resources

AntiPhishing Working Group

World's Best Girlfriend

Nigerian Email Scams
12 Scams Most Likely to Arrive Via Bulk Email's guide to email scams
419 Advance Fee Scams
How not to get hooked by a phishing scam
Microsoft's Guide to Phishing Scams
Scambuster's guide to protecting yourself against phishing scams
Russian Company Information

© Copyright 2003 - 2011 Mat Bright. All rights reserved.