E-mail Fraud and the Escrow Site Shakedown
A couple weeks back, MSNBC posted an article detailing a scam aimed at auction buyers. The scam involves elaborate Web sites, dummy bank accounts, and good old slight of hand. Anyone who participates in an online auction should read this article.
One of the great things about the Internet is its potential to bring buyers and sellers together in, heretofore, undreamt of ways. One of the most abused aspects of this realization is the anonymity involved in such transactions. Is their a company behind the Web page? Does the voice behind the e-mail represent a legitimate businesses?
This is especially true of online auctions where weary buyers often look to escrow sites as the solution to buying big ticket items online. However, scam artists have started building entire mock escrow Web sites. The buyer, tricked into believing that the site is a legitimate, third party site, hands over thousands of dollars. Millions of dollars are believed to have been collected in this manner.
This touches on an article we posted a while back in which scammers were sending out e-mail to people pretending to be their bank or a company that they do business with. The messages included links to similar mock Web sites. The customer, tricked into believing the message was from a trusted source, immediately assumed the Web site was legitimate.
Once on the site, the customer would be asked to log into "their account." They might even be asked for personal information, information they might expect such a company to require of them to complete a transaction or properly identify themselves. That information would be recorded by the fake Web site to be misused at a later date.
We recently received just such a message from a sender purporting to be from the popular auction site eBay. We inquired with eBay about the message and received a confirmation that the message was fraudulent. They also included the following tips in their response:
- "eBay will never ask for sensitive financial information, including passwords, in an email format." It's safe to say that most Web sites don't -- or at least they shouldn't. You should correct them if they do.
- "Never be afraid of questioning the validity of a suspicious email." Always assume the worst. If you don't hear back from a company in regards to an inquiry, don't just assume the message is legitimate.
- If you think you may have given out information to a fake site, immediately change your password with the legitimate site. If your password has already been changed, then contact the legitimate site to let them know your account may have been compromised.
- If you gave out any financial information such as a credit card number, assume this information has been stolen and will be misused. Contact your financial institution and take steps accordingly.
These are all good tips which you can apply when dealing with most companies online. To this we'd add that, when in doubt, go with what you know. If you get a message from a company you deal with and they ask you for personal information, don't click the link in the message. Instead, visit the site as you normally would, either by typing in the address manually, clicking a bookmark or though your preferred search engine. This way, at least, you'll know for sure who's asking you for information.
If the seller insists on using another site (for the same reasons you want to use your own), you can do a little investigating using the search engines. For these purposes, we recommend using Google because of the shear number of pages indexed. Another good resource is the USENET archive, which is made searchable through Google Groups. Just keep in mind that there is a lot of noise out there. Be careful to filter the occasional complaints that any business has for legitimate reports of fraud.