There are so many posts in FWOA that it seemed necessary and desirable to create a guide to scams. This FAQ is mean to detail some very common auction-related scams, as well as discuss what can be done about scams at various stages of the game.
Not-so-new scam: eBayers have reported getting emails purporting to be from other eBay members. These emails typically ask about an unspecified item; they might be inquiries for a shipping fee, demands for payment of an item you did not actually buy, etc. These tend to be fake. If they do not show up in your My Messages box in My eBay, they are fake. If links contained within the email do not send you to eBay (be sure to check the header), they are fake. To verify authenticity, check My Messages. If it's not in there, it's a phish. To be on the safe side, NEVER click on links in these emails. Go straight to eBay to respond if you feel you must.
If an email offer to buy includes any of the following, IT IS A SCAM. (read further for greater detail) •Nigeria •Bad grammar/spelling •An offer to buy more of an item than what you have listed (ok by itself, scam in combo with any other of these) •Urgent •Associate will pick up •Will pay more than your selling price •Wants extra money sent back or given to associate •Uses "accountant.com" as the part of the domain of the supposed payment company (e.g., paypal.accountant.com or paypal@accountant.com).
What are some common online auction-related scams? What can I do to protect myself?
Nigerian Scam Scam description: •The old Nigerian scam is probably the best known. •Someone purporting to be from Nigeria (or in variations on the theme from the Ukraine, any other part of the former Soviet Union, any other country in Africa, London, etc) asks to pay for your item with Western Union or BidPay or PayPal or a money order or cashier’s check. •The ‘buyer’ typically offers a price higher than the asking price, and may ask for a return of the overage by wire transfer, MO, etc. •The ‘buyer’ also usually says they want it shipped on their FedEx (or other carrier) account. •The 'buyer' usually wants the item sent to someplace in Africa, or the Philippines. •The 'buyer' says he will have the USPS send an electronic money order. As soon as the USPS notifies you by email that the MO is ready, you are supposed to ship. Until you do that, the USPS will not release the MO to you. •The 'buyer' says he will have BidPay send a money order. As soon as BidPay notifies you that the MO is ready, you are supposed to ship. Until you do that, BidPay will not release the MO to you.
Why is it a scam? •The payment will ALWAYS be fake. If it’s a cashier’s check or MO, it will be a fake. If it’s via PayPal, it will be funded with a stolen credit card. If it’s via BidPay, you’ll get a fake email confirmation, and a request from the buyer to ship ASAP. •If it's supposedly a BidPay MO, the scammer is hoping you don't know that BidPay now does payments by ACH (direct deposit) only, no more mailed payments. •In every variant of the scam, the ‘buyer’ asks that you send the item ASAP on receipt of payment (or confirmation of payment). The scammer wants you to ship before you discover you’ve been defrauded. •He wants you to use his FedEx account because it’s either a stolen account or the scammer has set it up in your name so that FedEx goes after you for the shipping fee. •The USPS does not have an escrow-like service, which is what the electronic MO thing is supposed to resemble. The only MOs issued by the USPS are in paper form, and you should always receive and cash them at a PO before you ship. The USPS will never ask you to confirm you have shipped before releasing payment to you. •Accountant.com (and all variants thereof) is not a domain owned by PayPal or the USPS. It is not a payment service. All payments that purport to have come from accountant.com are fake.
How can I protect myself? •Use more secure payment methods, and verify all payments. If you take PayPal on international sales, be aware of the risks (see the PayPal FAQ). If you accept BidPay, log into your BidPay account and verify the payment. If you accept MOs and cashier’s checks, ALWAYS verify the authenticity of the payment. You can call the issuer to do so.
Switcheroo Scam Scam description: •A buyer buys an item that is similar or identical to something he already owns but in better condition. Upon receipt, he switches the better item for his, and returns the poorer item for a refund. •This may happen in electronics where a buyer sends back a DOA item, or in any other category where condition can vary and better is desirable. Some categories are much more prone to this sort of scam than others.
How can I protect myself? •Record serial numbers for every item you sell that has one. If you sell electronics that may have multiple parts, record all SNs. For example, if you sell a laptop, record the SN for the laptop itself, for the battery, for the power adapter, etc. •For items without serial numbers, you may wish to mark them with what is known as a “seller’s mark”. This is done with a special pen that only shows up under a UV light. You can mark items in a hidden location with your initials, some set of meaningful digits, or whatever. •If you cannot mark the item, or the item has any special identifying marks already, be sure to record those. Clear photos of the item are great for this, especially if you include them in the auction for the buyer’s later reference. Especially note any flaws in the item in your photos. •When you accept returns, make a refund contingent upon receiving the item in the same condition it was sent in. Always check for the SN or seller’s mark or other identifying marks, and do not refund unless the item you get back is the same one you sent.
Some Amazon sellers have reported receiving emails from prospective buyers from Indonesia asking if they can buy the seller's goods using Amazon Payments. The problem is that Amazon does not accept payment from Indonesia via the Amazon Payments system. Many sellers are not aware of this, and may consent o the sale. The "buyer" is counting on the seller accepting the fake payment email as legit, and shipping before verifying the payment.
Avoid this problem by consulting Amazon's list of countries that may use Amazon Payments here. Also, always verify any payment you might receive by logging into your Amazon account using a new browser window. If it doesn't show up in your account, no sale has been made.
Bidpay scam
Bidpay has shut down (again!) as of 12/31/07. That means any offers to pay using Bidpay received after that will not actually happen. f you get a request to pay with Bidpay, it's either a scam or a buyer who is somewhat out of the loop. By the same token, a seller offering to allow you to use bidpay is either a scammer or a seller out of the loop. regardless, do not attempt to use bidpay after 12/31/07.
I think I have been sent a scam offer. What do I do? •Delete it. Do not play games with the scammer, do not respond, just delete it.
I was an idiot and fell for the scam. What do I do? •If you have deposited the fake MO/cashier’s check but did not send the item, you get to eat the bounce fee your bank will charge, but count it as a cheap lesson. •If you have already shipped the item, and used the USPS, CALL the USPS ASAP and ask if you can get the package held and returned to you. It probably won’t be possible, but it can’t hurt to try. •If you have already shipped the item via UPS or FedEx, CALL the carrier ASAP and ask that the package be returned to you. Depending on where it is, it may not be possible, but it can’t hurt to try. •If tracking shows the item has been delivered, suck it up. You have been scammed. Learn from your mistake. Report to the appropriate authorities (a list of these is forthcoming), but don’t expect that it will help you. Rather, report it as a public service to help shut those scammers down.
I received this email <text of email>. Is it a scam? Ask yourself the following questions: 1. Is the buyer offering to pay more than what I am asking? 2. Is the buyer in Nigeria, the Ukraine, the Philippines, or anywhere else I clearly state I don’t ship to? 3. Does the buyer want to pay via a method I did not state I accepted? 4. Does the buyer want to use Western Union (wire transfer)? 5. Does the buyer, who says he’s in London, want you to send the item to his cousin in Nigeria for his birthday? 6. Does the buyer want you to use his FedEx account?* 7. Is the buyer insisting on immediate shipment upon confirmation of payment? 8. Is the offer to buy written in really rotten, yet oddly formal, English?** 9. IS THE DEAL TOO GOOD TO BE TRUE? 10. Does the supposed payment you just received include "accountant.com" as any part of the address?
If you answered yes to at least one of the above, it’s probably a scam. If your buyer proposes any variant on the above (different countries, different relatives, etc) that doesn’t make it any less scammy.
* Some legit buyers do want to use their own accounts. They may get free shipping through work, or otherwise get discounted shipping, or want to avoid paying your handling fee. You do not have to permit this. FWer Lial says: "NEVER permit this when the payment is in the form of paypal as the the seller can redirect the shipment to an unconfirmed address and successfully claim and win an item not received dispute. " ** Please recognize that most individuals who do not use perfect grammar are not scammers. However, this style of language is a Hallmark of the Nigerian scam. Alone it is not an issue, but when combined with the other components of the offer it does help confirm that it is a scam.
Spoofs and phishes
Scam description: Another form of scam is a spoofed email that tries to 'phish' your personal data. These emails may purport to be from eBay, PayPal, or any other real company, but in reality they are scammers hoping you'll be stupid and give up your CC number, SSN, etc.
The emails typically offer a URL and ask that you go to that page and offer up a lot of personal info. They may ask for any combination of your name, your CC #, your eBay ID, your email address, your PayPal or eBay password, etc. The pages usually look authentic, and may include the correct logos for PayPal, eBay, etc. In all cases, these pages are fakes. Look at the HTML source to verify for yourself.
One common version of the phish is an invitation to become a powerseller. If you do not meet the criteria to be a powerseller (100+ feedback rating with a minimum 98% positive rating, gross sales of $1K/month for last 3 months) then you know it's a phish. Delete it.
I just received this email asking me to go to a webpage and update my info. Should I do it? Ask yourself the following questions: 1. Does it address you by anything other than your real name? (such as Dear Sir, YourEbayID, etc) 2. Is the email written in really rotten, yet oddly formal, English?** 4. Look at the headers. Do you see any server in there that is not yours AND is not one owned by the company that supposedly sent the email? 5. Look at the email. It may say something like "You are suspended. To end your suspension, use the following link: http://www.eBay.com/blahblahblah". Now look at the HTML source of the email. Does it now say something like "You are suspended. To end your suspension, use the following link: <a href="http://insertscamsitehere.com/blahblah">http://www.eBay.com/blahblahblah</a>"?
If you answered Yes to at least one of these questions, it is probably a phish/spoof.
How can I protect myself? •eBay/PayPal WILL ALWAYS address you by your full name in real emails. If this is not present, it is a spoof. •When it doubt, ALWAYS forward the email with full headers to spoof@paypal.com or spoof@eBay.com. They will tell you if it is real or not. •NEVER click a link in one of those emails. Some variants attach virii, trojan horses, and other nasty stuff. •If the email tells you your account has been suspended, open a browser window and type the real URL of the site it. Then log in. If you can login in, your account is fine. •If you get an invite to become a powerseller, and are in doubt, "login into your eBay account as you do normally, and navigate to powerseller login here: http://pages.eBay.com/services/buyandsell/welcome.html? (tanks to Economist for posting this in another thread). •Delete these spoofs/phishs.
I just received an offer to buy my item or an email I think may be a spoof/phish. Is it legit or a scam? Post it here and we'll help you figure it out. If you do post the email, please do the following: •Post the full headers of the email. Of course it's a good idea to X out any info that identifies you, such as your email address. •Post the full text of the email. Posting the HTML source helps us help you.
The email header just looks like a bunch of gobbledegook. Help! CSJeff has posted an excellent primer on understanding headers. Scroll down to the very next post in this thread.
This FAQ is a work in progress. Please post any comments, request additions, etc in this thread or by PM. Also, if you have any good examples of those fun Nigerian scam emails, please PM me so I can post a few examples.
Courtesy Ebytes:
When you get spoof emails from Yahoo, Overstock or BidVille Auctions, you may use these to contact customer support regarding the incident.
Yahoo Auctions: mail-spoof@ cc.yahoo-inc.com
BidVille Auctions: Please report all spoofs/spams by using the "Contact Us" link located at the bottom of every page on Bidville.
The FBI and The United States Postal Inspection Service have put together a websote aimed at educating consumers about online fraud. There's lost of info about identifying fraud, and how to deal with it if you have been defrauded. Check it out at Looks Too Good To Be True. (Thanks to Comprx for the link)
5/21/05: Added, per CSJeff's request, direction to post suspected scam-mail in this thread. 5/21/05: Added, per CSJeff's request, a bit about spoof/phish mail and how to recognize it. 5/21/05: Added, per Diljs' request, some keywords to look for in IDing Nigerian scams. 5/22/05: Added a reference to CSJeff's post on understanding headers. The post is the second in this thread. 5/25/05: Added, per Lial's request, note about buyer's FedEx account + PayPal = Bad for seller. 5/27/05: Added a bit about powerseller invite phishes and directions from Economist on how to verify authenticity. 8/4/05: Added, per Ebytes' suggestion, addresses to send spoofs/phishes/suspicious mail for Overstock, Yahoo, and Bidville 10/31/05: Added, per Comprx's suggestion, a link to the FBI/U.S. Postal Inspection Service website on internet fraud. 2/16/05: Added, due to my frustration at seeing so many "OMG I found a new scam! This email looks so real" emails, the example at the very top of this post. 4/9/06: Added, per Mofta's request, a bit about the USPS not actually ssuing electronic MOs as some scammers allege. 8/7/06: Added a bit to clarify current BidPay options. 9/6/06: Added note about payments that use "accountant.com" as part of the address being fake. 10/4/06: Added per Ebytes suggestion, the address to send spoofs/phishes/suspicious mail for Amazon 1/26/07: Added a bit about Amazon and the list of countries from which payments can be made to Amazon Payments 12/31/07: Updated with info about bidpay shutdown
The email header just looks like a bunch of gobbledegook. Help!
Sample header (bolded for emphasis):
X-Originating-IP: [66.197.24.230] Return-Path: <aw-confirm@eBay.com> Received: from 66.197.24.230 (HELO eBay.com) (66.197.24.230) by mta186.mail.re2.yahoo.com with SMTP; Sun, 15 May 2005 12:03:21 -0700 Received: (qmail 4840 invoked by uid 508); 15 May 2005 18:58:45 -0000 Date: 15 May 2005 18:58:45 -0000 Message-ID: <20050515185845.4839.qmail@eBay.com> From: aw-confirm@eBay.com To: xxxxxx Content-type: text/html Subject: FPA NOTICE: Suspicious Activity -Section 9- Content-Length: 1775
The two reasonably important parts of the header above are bolded. The rest of the header is essentially useless as it can be forged.
Received: from 66.197.24.230 (HELO eBay.com) (66.197.24.230) by mta186.mail.re2.yahoo.com with SMTP; Sun, 15 May 2005 12:03:21 -0700
The "Received" header is probably the most important in determining the source of your message. There may be many such header entries as mail can be processed by multiple servers along the line. The most recent entry is placed on top, so the top entry (or one near the top) should be received by your mail server while the bottom entry (or one near the bottom) should be from the originating server. In this example, the originating public mail server and the recipient mail server are on the same line.
In this case, the message was sent from the SMTP server at IP address 66.197.24.230 which is identifying itself as eBay.com and was received by mta186.mail.re2.yahoo.com (Yahoo mail server). The identification ("HELO eBay.com") is not authoritative and can be set to any value the client wishes, so it's important not to rely on any domain values as identification. Instead, look at the IP address of the sender.
A scammer may obviously wish to forge its identity to make someone more likely to believe that the message is from, in this case, eBay. Simply glancing at the header yields several eBay references -- all of which are forged/made up -- which may increase the likelihood of someone believing the message is really from eBay.
Once you've determined (or narrowed down) the possible senders of the message, you'll want to do a lookup on the host or IP address to determine where the message came from. So, let's look up the sender: 66.197.24.230.
Looking at the data, we see that the IP belongs to Carpathia Hosting, Inc. (who is likely hosting the scammer, probably unknowingly). Contrast that to a known eBay IP address 66.135.209.200 and it seems clear that this email did not originate from eBay.
Keep in mind that doing lookups in this fashion is not guaranteed to be 100% accurate. There are at least a few reasons why incorrect data may show up (possibly due to some sort of fraud). You should not use this as a sole test to determine the authenticity of a message, but rather, as a test to determine that a given message is fraudulent.
The other headers are generally useless for determining authenticity. The "From" field can be forged as can the numerous other headers which contain some reference to eBay. In fact, every reference to "eBay" in that header is simply made up by the scammer.
X-Originating-IP: [66.197.24.230]
All headers in the format "X-..." (X-headers) like the above are not authoritative and will not appear in all (or even any) email headers. It is best not to rely solely on this line as it has no direct basis for determining the authenticity of the message and there is no absolute way to determine if this message was set by the sender, by an intermediate server or by your own email server. It's best to rely on the "Received" header(s) to determine the sender of the message.
[More complex header example to follow.]
But the email takes me to eBay, so how can it be a scam?
It's possible that the email does, in fact, take you to eBay. However, in most cases, the scammer has simply crafted the message in order to make you think this is the case. There are varying levels of sophistication in the techniques used to fool users... some range from simply relying on the user not paying much attention to relying on browser or operating system vulnerabilities to make the user unaware of what is going on.
The simplest technique is displaying an HTML page to the user that looks like the following:
Recently, we conducted a review of all accounts for potential fraud. During this search, your account was flagged for further review due to inaccuracies in the information you have provided us.
As a result, we require that you update your information within 7 days. If, after 7 days, your account information has not been updated to reflect your true and accurate information, we will be forced to suspend your account indefinitely. Please log into your eBay account at the following page and update your information:
This, obviously, is not taking you where it claims.
Another technique uses subdomains to prefix an otherwise clear scam URL. For instance, the scammer might own the domain (usually more official looking, though): iscamforaliving.com. He could direct you to: https://signin.eBay.com.iscamforaliving.com. If you're not careful, and if the scammer has a more believeable domain, it's possible to not catch that it's not really taking you to https://signin.eBay.com.
Is it clear from looking at the URL where this might take you? Depending on your browser, it might refuse to take you anywhere or might warn you about where it's taking you, but on other older (usually unpatched) browsers, you would be passed silently to the site in question without knowing where you were at.
While not very sophisticated in nature, it seems many people fall for such obvious scams. It's important, then, to understand that just because it appears you're going to a certain site, there's no guarantee that's the site you're actually visiting. It's better to first take a cautious approach, perhaps checking out the email in more detail. Better still, don't follow links in email messages, but instead, go directly to the site in question and log in using a method you know to be safe or contact the site directly (not replying back to the email). If you need help understanding where the email is taking you, post the email including the HTML, so we can see where you're really being taken.
1) You might want to add something to the effect of "POST YOUR SCAM EMAILS HERE" in the title or body of the message (with maybe a disclaimer that we don't really care about 5-year old scams, so no need to post them for our sake). Hopefully we can get this stickied.
2) If people are going to post spoof/scam messages it would be helpful to post the email header and the HTML source of the message. If you're going to add a notation to post scam/spoof emails in this thread, you might want to add that as well so it's easy to determine what's going on from the first post.
YAY finally! Thsi si good because whilse I feel so bad for those confised by scammers, I also dont like to see every other thread devoted to a scam that we covered months ago. YAYAYYAYAYAYY THANKS
At the beginning just add some bolded words that newbies can look for in their emails and know it's a scam.
Nigeria - Bad Grammar - I would like to buy X (where X is some random number more than 1 when you have only for sale) of your item - Urgent - Associate will pick it up - Will pay $XXX (where XXX is more than your selling price) etc.
I can't wait to see what other ways scammers can come up to add to this list. It would be great if people who ever had other experiences significantly different than listed above would share their stories.
Why the hell is eBay not doing something about this. I have received about 20 emails in the past three weeks some exact replicas of each other. It seems eBay doesnt give a toss about this or any of their users. This despite the fact eBay must have been hacked to get the email addresses. Has anyone actually seen enay get off their a####s to do anything about this?
JaneInMA said:Why the hell is eBay not doing something about this. I have received about 20 emails in the past three weeks some exact replicas of each other. It seems eBay doesnt give a toss about this or any of their users. This despite the fact eBay must have been hacked to get the email addresses. Has anyone actually seen enay get off their a####s to do anything about this? eBay HAS NOT BEEN HACKED. These messages go out to anyone and everyone, just like regular spam. Typically the Nigerian scammers will use the Ask The Seller A Question function to send out the initial salvo. Sellers on Craigslist and other online venues can and do get these messages as well.
What on Earth do you expect eBay to do? Ask at registration if the user is a scammer, and then deny those registrations?
I expect them to be tracking down the people reported to them and getting them kicked off their ISP. The exact same email is coming time and time again with the same root origin. They should be working to prevent their site use by phishing. Things like this make occasional users like me want to just pull my account and push everything with eBay in the title to the spam filter. Where as I pay quickly and cause no hassle, not the type of buyer eBay really wants to lose permanently.
JaneInMA said:I expect them to be tracking down the people reported to them and getting them kicked off their ISP. The exact same email is coming time and time again with the same root origin. They should be working to prevent their site use by phishing. Things like this make occasional users like me want to just pull my account and push everything with eBay in the title to the spam filter. Where as I pay quickly and cause no hassle, not the type of buyer eBay really wants to lose permanently. You do realize that many scammers use offshore ISPs that don't care about this kind of thing, right? And that most of them go through a ton of email addys so canceling one account does nothing. If it makes you feel better, though, report the idiot to his ISP.
eBay and PayPal do take the phishing expeditions seriously. Do your part by forwarding those emails with full headers to spoof@eBay.com or spoof@paypal.com as appropriate. eBay will do what it can to get those phishers shut down. however, you have to realize that for every one they do manage to close 10 more open up.
eBay can't do anything about it. As long as you're smart enough not to fall for this kind of scam, all you have to deal with is hitting delete on a bunch of emails. It should not deter you from using eBay or any other online shopping venue such as Yahoo, Overstock, Craigslist, etc.
If people didn't fall for this kind of crap the phishes and scams would stop. Until that day arrives, do your part by helping to education others about these scams. Don't just complain and say "eBay should so something".
JaneInMA said:Things like this make occasional users like me want to just pull my account and push everything with eBay in the title to the spam filter. Where as I pay quickly and cause no hassle, not the type of buyer eBay really wants to lose permanently.
The only way they could prevent it would be to create a means by which no user could be fooled into entering their info into another site. This is impossible since no matter what idiot proof tool you create, you still end up with people who willingly do whatever the computer tells them to do.
I think it's unreasonable to expect them to do anything more than they've already done. They're not there to hold our hands, they're there to provide a service and make money doing it. It's not in their power to stop a third party from contacting you outside of eBay or eBay's network. The fact that they do anything at all is probably only because they stand to lose out from users like you who would blame them for things out of their control.
Would you hold your local supermarket reponsible if a guy came to your door saying he was from said supermarket and that the store lost your credit card information and needed it again so that they could properly bill you for your groceries? Is this different because it's over the Internet? Clearly, your local supermarket should have a fraud team combing the streets in case of nefarious individuals roaming the streets.
From: olumide dennis motola <olums_moty@yahoo.com>
Hi, while i was surfing the net i came accross a site www.eBay.com where i saw the item you place for sale. I'm just sending you this mail because am very much interested in buying your Brand New Dell 5650 5.1 PC Speakers i'm biding it all My only mode of payment is Through Western Union Money Transfer Order . so if you're interested in selling your items for me, please endeavour to include in your reply, you full name and address , which i will use for sending you the payment through Western Union Money Order Transfer. Thanks, await your response. Regards Olumide Dennis.
Edited to include Yahoo response:
I reported this email to yahoo by forwarding it to abuse@yahoo.com His yahoo account was suspended:
This is what I got from Yahoo:
Hello,
Thank you for writing to Yahoo! Mail.
In this particular case, we have taken appropriate action against the Yahoo! account in question that was reported for fraudulent activities, as per our Terms of Service (TOS). Please know that Yahoo! is unable to disclose the action taken on another user's account with a third party. We are not able to make exceptions to this rule.
If in the future you receive an unwanted email message that appears to derive from a Yahoo! Mail account, please include the following in your report of mail abuse to assist us in a prompt and full evaluation:
1) Original subject line -- please forward the email with a subject identical to the original subject.
2) Complete headers -- email programs often display abbreviated headers. To learn how to display the full headers in a Yahoo! Mail account, please visit the Yahoo! Mail Help Desk at:
3) Complete message body -- please include the complete, unedited content of the email message in question. Please do not change or edit the message in any way.
If reports of email abuse are missing any one of these three items, it may take longer for the Yahoo! Mail Abuse Team to properly investigate and take appropriate action. We appreciate your efforts in reporting this abuse to Yahoo!. Due to security restrictions of our custom messaging system, we request that you simply forward a copy of the message on to us as opposed to sending it in an attachment.
Thank you again for contacting Yahoo! Customer Care.
I see a lot of sites mentioning that as a Buyer , be careful to not send money thru Western Union money transfer.
My question is, as a seller, is there a need to be careful if someone is offering money thru Western Union.?
Reason is that i received a mail like the following: Dear seller, I am Interested in purchasing your xxxx which was advertised on Amazon.com at the Price: $yyyy. I am buying this product as a birthday gift for one of my friends in Romania . I am wondering if you accept Western Union Money transfer. Waiting for reply Regards, zzzz
Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.
