Avoiding the Nightmare of Account Takeovers: It's more common than you think!

9 min. read
All information of this content was reviewed by our team to ensure it was accurate and up-to-date at the time it was last updated. Learn more about our verification

Doing business on the internet, although potentially very profitable, also carries with it certain risks.  There will always be unscrupulous individuals wanting to get something for nothing, trying to steal your personal and financial information or do whatever else they can to rip you or others off.

What is an "Account Takeover"?

On eBay, one of the most serious and frightening ways criminals often try to perpetrate fraud is through what's known as account takeovers.  Account takeovers are just like what they sound,  someone else taking over your eBay account.  And once someone takes over your eBay account, he/she can wreak all sorts of havoc in your name, defrauding buyers, spamming other eBay users, accessing your personal information, and even accessing your PayPal account and other financial information in some cases. 

So as you can imagine, account takeovers are frightening and stressful, and can cause long-term damage, both to your personal life as well as to your eBay account. 

Is it safe for you to use PayPal and eBay?

When considering how account takeovers happen, one of your first thoughts might be that using eBay in and of itself is unsafe, that these criminals are able to take over eBay accounts by hacking into the eBay and PayPal websites.  There is no truth to this claim whatsoever.  eBay and PayPal are among the safest, most secure websites on the internet -- neither website has ever been compromised.  PayPal in particular is considered an FDIC-insured financial institution, the same as a bank, and is thus extremely careful about security.

Instead, the easiest, most common way criminals gain access to other people's accounts and information is due to the naivete, carelessness, and/or ignorance of the victims themselves. For an additional layer of security, consider using a reputable VPN service when accessing sensitive accounts online. This can help protect your information by encrypting your internet connection, making it more challenging for unauthorized individuals to intercept your data.

How do others takeover my account?

Criminals have found a gold mine in the form of "spoof" emails that are designed to mimic legitimate emails from eBay or PayPal, which usually persuade the recipient to click on a link that appears to be directing them to a sign-in page on the company's website, but instead, directs them to a fake/spoof website created to look just like the real one.  Many people don't realize how easy it is to create fake websites that mimic real ones, to then steal people's personal, confidential, and/or financial information, and then use it to defraud that person and/or often many others as well.

So what happens if you respond to a spoof email and willingly sign in to a spoof eBay site?  Well, someone else can then sign into your eBay account and start posting listings for hundreds of non-existent items, such as expensive vehicles, electronics, and computers, with very low prices, telling buyers in the item descriptions not to buy the items on eBay, but to email them directly and wire them the money via Western Union, MoneyGram, etc. for the items. 

At this point, you're no longer the only victim of this insidious fraud: Your careless mistake allows the hacker to defraud hundreds if not thousands of other victims as well, and the money is almost never recovered.

This may seem like an obvious scam, but there are thousands of eBay users who fall for it every day.  The amount of fraud occurring from account takeovers has been astronomical. Many of these innocent buyers will often go on to leave negative feedback and/or file complaints with both eBay and PayPal, even if they find out it was an Account Takeover and wasn't your fault. 

Plus, eBay has also already charged you fees for those fraudulent listings.  And although most of these issues can usually be resolved on your a, it can take quite a while to do so, and in the meantime, you've unwittingly participated in stealing money from people.  All because you weren't careful.

Resolving Account Takeovers

It's crucial that swift action is taken when an Account Takeover occurs.  eBay's system is so secure and sensitive that it can often detect unauthorized attempts to access someone's account, even if the correct password is used, so sometimes eBay is able to lock down the account and immediately change the password on it.  eBay can thus prevent the scammer(s) from listing items or wreaking any other havoc on someone's account, but it also means that when the rightful account owner tries to sign into his account the next time, he's prevented from doing so until he contacts eBay and resolves the situation.

If you ever find yourself an account takeover situation, quickly follow the directions listed on the following eBay help page:

Securing your account and reporting account theft

As long as you react quickly and properly to the account takeover, you won't be held accountable for any of the negative behavior or activities that occurred while the scammer had access to you account -- you'll be credited for any fees the scammer incurred by listing fraudulent items, any negative feedback left for you will be removed, etc.  In fact, in most account takeover situations, the ones who end up suffering the most are the buyers who fall for the scammer's fraudulent listings and wire money to the scammer via Western Union.

Since those buyers failed to heed eBay's warnings regarding safe buying practices, they almost never recover the money they sent to the scammer, and of course, they never receive the items they were trying to buy.

So let this also serve as a warning to you when you're thinking of buying as particular item on eBay. If you see a listing like the one described above, in which the item description provides an email address (usually in large text) and instructions to email the "seller" directly instead of buying the item, DON'T DO IT! You won't have any protection from eBay for the purchase, since eBay clearly warns users against completing transactions outside of the eBay listing, and/or using an unsafe payment method like Western Union, which is just like sending cash. 

Avoiding Account Takeovers

Naturally, the best scenario is to avoid falling victim to an account takeover in the first place, so here are the best ways to do so:

Use My Messages - eBay has created an email inbox for all its members, known as My Messages. Besides being a convenient place within My eBay to communicate with eBay and other eBay users, it also serves a much more important security function.  eBay users can check My Messages anytime they receive an email in their personal email inbox that appears to be from eBay.  If it's an email affecting your account, and there's an identical copy of the email appearing in My Messages, that means the email is really from eBay.  If not, it's a spoof email, and you should either delete it or forward it to spoof@ebay.com for investigation.

Pay close attention to any emails that appear to be from 'eBay'

Real eBay emails will always use both your first and last names, whilc spoof emails will use a general greeting such as "Dear eBay Member". Additionally, spoof emails often contain the following subtle differences from legitimate emails:

- Spelling and/or grammatical errors

- Phrases that don't sound the way most native English speakers talk, such as "Please to click on this link".

  • Don't trust the sender's email address -- email addresses ending in "@ebay.com" can be faked.
  • Don't trust an email because it looks like real eBay emails you've received, or because it has the eBay logo on it, since that can also be faked.
  • Don't trust apparent eBay links in emails (for instance, the link says www.ebay.com/stores) because links can also be forged - a link can say whatever the scammer wants it to say, but can then direct you to any other website the scammer wants.  If you click on the link, although the same web address might appear in the address bar at first (www.ebay.com/stores), after a couple of seconds it will change to a different web address that's no longer an eBay website address.  A real eBay website address will either say "ebay.com" (ebay dot com) or ".ebay.com" (dot ebay dot com) right before the first forward slash /.

 For example:

- http://signin.ebay.com/ - REAL EBAY ADDRESS ("dot ebay dot com" right before the first forward slash

- http://signin-ebay.com/ - FAKE EBAY ADDRESS (it has "dash ebay dot com" right before the first forward slash, NOT "dot ebay dot com")

- http://signin.ebay.com@10.2.86/ - FAKE EBAY ADDRESS (after "dot ebay dot com" it has "@10.2.86" before the first forward slash).

Don't download or share files or open attachments in apparent eBay/PayPal emails -  eBay and PayPal will never send you an attachment.

Keep safe by familiarizing yourself with what eBay will never ask you

eBay/PayPal won't ask for personal information in an email, such as the following:

-Your Full Name

- Your password (eBay doesn't even know what your password is, nor do eBay employees ever need to know your password).

- Your Driver license number

- Your Social Security number

- Any of your credit or debit card numbers

- Any of your PIN numbers or bank account numbers

Keep your personal information safe

As a rule, don't post your email address on eBay (or anywhere else online, for that matter), including your About Me page or an eBay listing.  Occasionally some sellers will post their email addresses in their listings, but usually because they know they're extremely adept and savvy at recognizing spoof emails, and/or they're willing to take the risk in order to provide an easy way to buyers to reach them.  In most cases, though, it's not worth the risk, and it's not necessary, since eBay buyers can email you easily through eBay's messaging system.

  • Forward suspicious emails to spoof@ebay.com or spoof@paypal.com for confirmation that they're spoof emails, and so eBay and PayPal can investigate the matter.

Listen to your instincts and don't take any chances

  • Be wary of emails that sound urgent or serious. Instead of giving in to fear and hurriedly clicking on the link(s) provided, open a new browser window, type in www.ebay.com (or www.paypal.com) and then check your account.  Scammers play upon people's fears, desires and other emotions, to push them to act impulsively and act on or respond to emails before thinking carefully about doing so.  Here are some examples of common spoof email tactics:

    - Emails saying your eBay account is suspended and that you need to click on a link in the email to resolve it.

    -  Emails telling you to update your information (by clicking on a link in the email, of course) or your account will/might be suspended

    - Emails inviting you to be an eBay Powerseller (when you don't really qualify), asking you to click on a link to accept the invitation and become a Powerseller.

    - Emails from another eBay user with a link in them and (usually) an enticing phrase, such as, "Look at this great listing I saw!", or "The seller of this listing copied your pictures!".  Sometimes hackers will take over the account of a real eBay member and use it to send out spoof messages through eBay's email system, so these emails DO appear in My Messages, but if you don't recognize the person's User ID and the email contains a link of any kind, don't click on the link nor respond to the message, but forward it to spoof@ebay.com and then delete it. You can also contact eBay Customer Support to verify whether or not someone actually copied your pictures, for instance.

  • Don't take any chances -- If you DO click a link in a spoof email and start signing into a fake eBay sign-in page, but realize your mistake before finishing, your information/account may still have been compromised.  Scammers can often harvest anything typed into a website field even if the page isn't submitted.  Don't take any chances; assume that your information has been compromised and proceed accordingly.

  • If you think someone might have obtained your personal information, change the passwords on all of your online accounts, contact your financial institutions, and report the theft to the FTC (Federal Trade Commission) at www.ftc.gov, the FBI Internet Crime Complaint Center at www.ic3.gov, and/or your local law enforcement.

  • Become familiar with eBay's Security Center (http://pages.ebay.com/securitycenter/index.html) and PayPal's Security Center (https://history.paypal.com/us/cgi-bin/webscr?cmd=_security-center) You can even read about recent eBay-related arrests in the Police Blotter section of eBay's Security Center (http://pages.ebay.com/securitycenter/law_case_study.html).

As a final resource, I've put together a spoof email tutorial that displays screenshots from an actual spoof email I received, and points out the red flags that give the email away as being a spoof email:

http://tinyurl.com/spoofemailexample

 

About the author
Simon Slade
CEO of SaleHoo Group Limited

Simon Slade is CEO and co-founder of SaleHoo, a platform for eCommerce entrepreneurs that offers 8,000+ dropship and wholesale suppliers, 1.6 million high-quality, branded products at low prices, an industry-leading market research tool and 24-hour support.

View profile
Already a member? Login to comment
17 Comments
  • Ken 1st of October
    This is vey good information. I constantly receive spoofy emails pretending to be a buyer interested in one of our items. They list an item number that does not exist. As stated in the blog always check you messages on eBay and forward the phishing email to eBay . This also applies to Paypal as well. We have received phishing emails indicating that our paypal account has been restricted. If there is some issue with your paypal acccount you can log into your accontl and check for notification in the upper right hand corner of you account page. As with eBay, Paypal will never ask for personal information in an email. These emails look very authentic. I can't emphaize this enough, never to respond to one of these seemingly authentic emails. Go to eBay or Paypal and login then check for messages or notifications.
  • Valeriy 1st of October
    Thanks for the info. For myself I consider useful.
  • Mary Frumkin 1st of October
    Several years ago, eBay erroneously debited my PayPal account for $1800, for a purchase I never made! (I had never even LOOKED at the item.)They were very ornery about correcting their error, and never explained how it could have happened. No apology, either.
  • Dawn Stephenson 2nd of October
    Brilliant write up. All pertinent points covered, I just wish there was a way of turning the tables on these scum bags.
  • Lina 2nd of October
    Thanks for sharing this great information, I've been a victim on this not on eBay but on my PayPal account and few of my online home based business products that I bought, because of this bad experience, I can now destinguished or identify the activity of this unscrupulous individuals. There are emails that I received address to undisclosed recipients, when I received this kind of emails I delete it right away, It's true that if you are not very careful your money will goes out for nothing. Now every transactions I make I open the new browser window and type the link of the website where I have an account there and reported with them any suspecious fraudulent activity.
  • Lee Walker 2nd of October
    Thank you for the great info, a great warning .
  • Jennifer 2nd of October
    Thanks for posting this. I was scammed on ebay over 5 years ago. I've learned what to look for and am very carefull. There are so many people out there that don't know this info. Because of this posting, you have probably saved so many people from being scammed!!!! Thanks again. :)
  • David 2nd of October
    I get at least 5 of these fake emails everyday. The foolproof way of never having your account taken over is to NEVER click on a link from any email. Always manually type Ebay's address into your internet browser and go to MY Ebay to conduct all business and account maintenance.
  • Jason 2nd of October
    Good info, although I have to say I found the first part of this email almost offensive. We all make mistakes, we are only human after all. Its how we deal with these mistakes that makes us who we are. There's no need to make us feel guilty for making a mistake and much less about other people who would be ripped off during this process. At the end of the day there is a risk with everything we do, if you don't like the risk then simply don't do ebay. Anyway enough said just felt you were a bit heavy handed pointing the finger at who is ultimately the victim in these scams.
  • K.L.Flynn 2nd of October
    Really informative --BUT SCAREY ! Being fairly new to it all - You want to become very very aware.
  • Niela 2nd of October
    Thanks for this information and I advise all to take note of this. The very first time I received a spoof email I fell for it. By clicking on the link and giving information my ebay account was then used to advertise large amounts of false products and fees were added to my account. Luckily eBay noticed this suspicious activity and calle me. Luckily I was refunded the fees. Since then I delete any email that is not also in my eBay messages. Be careful, these people are very cunning.
  • mondo 3rd of October
    absolute care is needed when operating ebay accounts. i just hate this scammers im sick and tired of them.wish to tackle them with a slege hummer would be O.k huh ?
  • john dale 26th of October
    One part that bothers me in this post is indicating that Paypal is a bank. They are not a bank and are not governed by rules associated with banks. Further, funds in Paypal are not insured by the FDIC and if one loses money in Paypal, due to any number of reason including Paypal going bankrupt, those fund would not be covered by the FDIC. This is what makes Paypal scary. If one puts money into Paypal and if Paypal decides to hold that money, one has no recourse but to adhere to Paypal rules regarding how one gets that money back. Even if Paypal takes this money on wrong reasons. Example, If one has their Paypal account hijacked and the thief steals money. One may never see this money ever again. And in all likelihood they won't. Because Paypal is not a bank and will take their time and drag their feet and then end up telling the buyer tough luck. If one has money stolen from a real bank, everything over 50$ is returned to the customer normally within 48 hours and in many cases banks are now agreeing to return all the funds.
  • David 3rd of May
    You are correct Sir, Paypal is not a bank and that's where many people become confused. Paypal is not regulated and as such are a law unto themselves and eBay of course :) http://paypal.com
  • Bielizna 21st of December
    It's a shame you don't have a donate button! I'd definitely donate to this excellent blog! I guess for now i'll settle for book-marking and adding your RSS feed to my Google account. I look forward to fresh updates and will talk about this site with my Facebook group. Talk soon!
  • paul hancock 17th of February
    I had an account take over occur yesterday yet I haven't been on any spoof ebay sites or replied to emails. The information given is incorrect. If eBay were to change their system so that when you come to pay, it didn't retain your pay pal account details, then there wouldn't be an issue. Ebay isnt safe at all
  • steve 12th of June
    I have just been hacked via a link in an ebay message which I stupidly clicked on and must then have logged into a fake ebay page - so be wary of links in ebay messages as well as email!
    • Rhea Bontol SaleHoo Admin 29th of June
      Thanks for the warning, Steve! Were you able to recover your account though?