Doing business on the internet, although potentially very profitable, also carries with it certain risks. There will always be unscrupulous individuals wanting to get something for nothing, trying to steal your personal and financial information or do whatever else they can to rip you or others off.
What is an "Account Takeover"?
On eBay, one of the most serious and frightening ways criminals often try to perpetrate fraud is through what's known as account takeovers. Account takeovers are just like what they sound, someone else taking over your eBay account. And once someone takes over your eBay account, he/she can wreak all sorts of havoc in your name, defrauding buyers, spamming other eBay users, accessing your personal information, and even accessing your PayPal account and other financial information in some cases.
So as you can imagine, account takeovers are frightening and stressful, and can cause long-term damage, both to your personal life as well as to your eBay account.
Is it safe for you to use PayPal and eBay?
When considering how account takeovers happen, one of your first thoughts might be that using eBay in and of itself is unsafe, that these criminals are able to take over eBay accounts by hacking into the eBay and PayPal websites. There is no truth to this claim whatsoever. eBay and PayPal are among the safest, most secure websites on the internet -- neither website has ever been compromised. PayPal in particular is considered an FDIC-insured financial institution, the same as a bank, and is thus extremely careful about security.
Instead, the easiest, most common way criminals gain access to other people's accounts and information is due to the naivete, carelessness, and/or ignorance of the victims themselves. For an additional layer of security, consider using a reputable VPN service when accessing sensitive accounts online. This can help protect your information by encrypting your internet connection, making it more challenging for unauthorized individuals to intercept your data.
How do others takeover my account?
Criminals have found a gold mine in the form of "spoof" emails that are designed to mimic legitimate emails from eBay or PayPal, which usually persuade the recipient to click on a link that appears to be directing them to a sign-in page on the company's website, but instead, directs them to a fake/spoof website created to look just like the real one. Many people don't realize how easy it is to create fake websites that mimic real ones, to then steal people's personal, confidential, and/or financial information, and then use it to defraud that person and/or often many others as well.
So what happens if you respond to a spoof email and willingly sign in to a spoof eBay site? Well, someone else can then sign into your eBay account and start posting listings for hundreds of non-existent items, such as expensive vehicles, electronics, and computers, with very low prices, telling buyers in the item descriptions not to buy the items on eBay, but to email them directly and wire them the money via Western Union, MoneyGram, etc. for the items.
At this point, you're no longer the only victim of this insidious fraud: Your careless mistake allows the hacker to defraud hundreds if not thousands of other victims as well, and the money is almost never recovered.
This may seem like an obvious scam, but there are thousands of eBay users who fall for it every day. The amount of fraud occurring from account takeovers has been astronomical. Many of these innocent buyers will often go on to leave negative feedback and/or file complaints with both eBay and PayPal, even if they find out it was an Account Takeover and wasn't your fault.
Plus, eBay has also already charged you fees for those fraudulent listings. And although most of these issues can usually be resolved on your a, it can take quite a while to do so, and in the meantime, you've unwittingly participated in stealing money from people. All because you weren't careful.
Resolving Account Takeovers
It's crucial that swift action is taken when an Account Takeover occurs. eBay's system is so secure and sensitive that it can often detect unauthorized attempts to access someone's account, even if the correct password is used, so sometimes eBay is able to lock down the account and immediately change the password on it. eBay can thus prevent the scammer(s) from listing items or wreaking any other havoc on someone's account, but it also means that when the rightful account owner tries to sign into his account the next time, he's prevented from doing so until he contacts eBay and resolves the situation.
If you ever find yourself an account takeover situation, quickly follow the directions listed on the following eBay help page:
As long as you react quickly and properly to the account takeover, you won't be held accountable for any of the negative behavior or activities that occurred while the scammer had access to you account -- you'll be credited for any fees the scammer incurred by listing fraudulent items, any negative feedback left for you will be removed, etc. In fact, in most account takeover situations, the ones who end up suffering the most are the buyers who fall for the scammer's fraudulent listings and wire money to the scammer via Western Union.
Since those buyers failed to heed eBay's warnings regarding safe buying practices, they almost never recover the money they sent to the scammer, and of course, they never receive the items they were trying to buy.
So let this also serve as a warning to you when you're thinking of buying as particular item on eBay. If you see a listing like the one described above, in which the item description provides an email address (usually in large text) and instructions to email the "seller" directly instead of buying the item, DON'T DO IT! You won't have any protection from eBay for the purchase, since eBay clearly warns users against completing transactions outside of the eBay listing, and/or using an unsafe payment method like Western Union, which is just like sending cash.
Avoiding Account Takeovers
Naturally, the best scenario is to avoid falling victim to an account takeover in the first place, so here are the best ways to do so:
Use My Messages - eBay has created an email inbox for all its members, known as My Messages. Besides being a convenient place within My eBay to communicate with eBay and other eBay users, it also serves a much more important security function. eBay users can check My Messages anytime they receive an email in their personal email inbox that appears to be from eBay. If it's an email affecting your account, and there's an identical copy of the email appearing in My Messages, that means the email is really from eBay. If not, it's a spoof email, and you should either delete it or forward it to firstname.lastname@example.org for investigation.
Pay close attention to any emails that appear to be from 'eBay'
Real eBay emails will always use both your first and last names, whilc spoof emails will use a general greeting such as "Dear eBay Member". Additionally, spoof emails often contain the following subtle differences from legitimate emails:
- Spelling and/or grammatical errors
- Phrases that don't sound the way most native English speakers talk, such as "Please to click on this link".
- Don't trust the sender's email address -- email addresses ending in "@ebay.com" can be faked.
- Don't trust an email because it looks like real eBay emails you've received, or because it has the eBay logo on it, since that can also be faked.
- Don't trust apparent eBay links in emails (for instance, the link says www.ebay.com/stores) because links can also be forged - a link can say whatever the scammer wants it to say, but can then direct you to any other website the scammer wants. If you click on the link, although the same web address might appear in the address bar at first (www.ebay.com/stores), after a couple of seconds it will change to a different web address that's no longer an eBay website address. A real eBay website address will either say "ebay.com" (ebay dot com) or ".ebay.com" (dot ebay dot com) right before the first forward slash /.
- http://signin.ebay.com/ - REAL EBAY ADDRESS ("dot ebay dot com" right before the first forward slash
- http://signin-ebay.com/ - FAKE EBAY ADDRESS (it has "dash ebay dot com" right before the first forward slash, NOT "dot ebay dot com")
- http://email@example.com/ - FAKE EBAY ADDRESS (after "dot ebay dot com" it has "@10.2.86" before the first forward slash).
Don't download or share files or open attachments in apparent eBay/PayPal emails - eBay and PayPal will never send you an attachment.
Keep safe by familiarizing yourself with what eBay will never ask you
eBay/PayPal won't ask for personal information in an email, such as the following:
-Your Full Name
- Your password (eBay doesn't even know what your password is, nor do eBay employees ever need to know your password).
- Your Driver license number
- Your Social Security number
- Any of your credit or debit card numbers
- Any of your PIN numbers or bank account numbers
Keep your personal information safe
As a rule, don't post your email address on eBay (or anywhere else online, for that matter), including your About Me page or an eBay listing. Occasionally some sellers will post their email addresses in their listings, but usually because they know they're extremely adept and savvy at recognizing spoof emails, and/or they're willing to take the risk in order to provide an easy way to buyers to reach them. In most cases, though, it's not worth the risk, and it's not necessary, since eBay buyers can email you easily through eBay's messaging system.
Listen to your instincts and don't take any chances
Be wary of emails that sound urgent or serious. Instead of giving in to fear and hurriedly clicking on the link(s) provided, open a new browser window, type in www.ebay.com (or www.paypal.com) and then check your account. Scammers play upon people's fears, desires and other emotions, to push them to act impulsively and act on or respond to emails before thinking carefully about doing so. Here are some examples of common spoof email tactics:
- Emails saying your eBay account is suspended and that you need to click on a link in the email to resolve it.
- Emails telling you to update your information (by clicking on a link in the email, of course) or your account will/might be suspended
- Emails inviting you to be an eBay Powerseller (when you don't really qualify), asking you to click on a link to accept the invitation and become a Powerseller.
- Emails from another eBay user with a link in them and (usually) an enticing phrase, such as, "Look at this great listing I saw!", or "The seller of this listing copied your pictures!". Sometimes hackers will take over the account of a real eBay member and use it to send out spoof messages through eBay's email system, so these emails DO appear in My Messages, but if you don't recognize the person's User ID and the email contains a link of any kind, don't click on the link nor respond to the message, but forward it to firstname.lastname@example.org and then delete it. You can also contact eBay Customer Support to verify whether or not someone actually copied your pictures, for instance.
Don't take any chances -- If you DO click a link in a spoof email and start signing into a fake eBay sign-in page, but realize your mistake before finishing, your information/account may still have been compromised. Scammers can often harvest anything typed into a website field even if the page isn't submitted. Don't take any chances; assume that your information has been compromised and proceed accordingly.
If you think someone might have obtained your personal information, change the passwords on all of your online accounts, contact your financial institutions, and report the theft to the FTC (Federal Trade Commission) at www.ftc.gov, the FBI Internet Crime Complaint Center at www.ic3.gov, and/or your local law enforcement.
Become familiar with eBay's Security Center (http://pages.ebay.com/securitycenter/index.html) and PayPal's Security Center (https://history.paypal.com/us/cgi-bin/webscr?cmd=_security-center) You can even read about recent eBay-related arrests in the Police Blotter section of eBay's Security Center (http://pages.ebay.com/securitycenter/law_case_study.html).
As a final resource, I've put together a spoof email tutorial that displays screenshots from an actual spoof email I received, and points out the red flags that give the email away as being a spoof email: