I received a suspicious email at home yesterday. It claimed to be from eBay, saying that they’d detected some suspicious transactions on my account, so I should check the account and possibly update my password. The message included eBay logos and links to eBay’s home page and fraud pages. It also included a direct link to the page where I could update my account info.
The dead giveaway for me, of course, was that I don’t have an eBay account. A closer look at the header showed that the message wasn’t even addressed to me; it went to a private mailing list I’m on and got forwarded to me. There was definitely someone trying to get access to my (non-existent) eBay account, and it was the sender of this "warning". The sender was "phishing" for information they could use to steal money from me, and this message was the bait. You can get the gorey details of phishing online if you want to get technical, but the moral of the story is never trust email from a corporate entity, even if you do business with them; the email may be a counterfeit from someone else.
As I said, the trick message was full of links to pages on eBay’s site, but there’s no way to be sure how many were genuine. I certainly wasn’t going to click any of them to find out the hard way. The direct link to the "account maintenance" page was undoubtedly a trap that went somewhere other than eBay, but some of the others might have been genuine links to eBay pages, just to keep innocent victims like me guessing.
As I said, I wasn’t going to click any of those links to test them. Any or all of them might have lead to a programmed "exploit page" designed to quietly install evil programs on my computer. Those programs might generate more evil email or host evil web pages on my own computer designed to steal information from others, quietly sending the stolen information to some criminal in a distant land.
eBay does take this kind of thing seriously (as does PayPal and assorted banks that have internet banking facilities), so a quick visit to eBay’s website (by directly typing www.ebay.com in my browser rather than following any of those evil links) quickly turned up an abuse address to which I forwarded the message. I don’t know if it will be possible to track down the scumbags who sent it to me, but hopefully they’ll be able to use the information to break up at least part of the criminal network sending them.
It’s possible to do business online safely, but vigilance is definitely needed. Criminals impersonate reputable corporations to rob you, so you need to view any unsolicited message that lands in your mailbox with skepticism. It can save your money, your credit rating, and possibly your reputation.
This post will appear in the Skeptic's Circle of Thursday, May 26th, hosted by Saint Nate.