RealTime IT News

Scammed for the Holidays

Attempts to perpetrate fraud against eBay users are being stepped up as online holiday shopping reaches its peak, and the auction leader recently warned its users about spoof e-mails designed to harvest password and account information.

The problem is not at all new, but as the holidays have brought more inexperienced shoppers online, the criminal element appears to have stepped up its efforts to scam them.

And newbie shoppers, of course, are soft targets -- they're just easier to fool.

Estimates of the amount of money that will be lost both because of fraud and because merchants fear fraud and cancel orders, run up to nearly half a billion dollars.

Phony e-mails urging consumers to surf over to a completely fake Web site and provide all kinds of personal data and passwords are now so pervasive they are becoming difficult to track.

For instance, a new spoof site, ebayupdates.com, was recently reported, but apparently it was quickly shut down as it could not be reached today. A warning was issued by the SANS (SysAdmin, Audit, Network, Security) Institute Internet Storm Center, a private Internet watchdog group. This particular scam apparently targeted eBay users in Australia.

Online scam artists use such phony sites to glean account information -- user names, passwords, credit card data -- from the unwary, and hijack their accounts. They can then "sell" merchandise that they never deliver.

Alternatively, if you can steal an innocent's credit card data, the numbers alone can be sold on the Internet black market.

"The theft of credit card information is just the first step in a much larger Internet fraud picture," David Steiner at AuctionBytes.com told internetnews.com.

"These stolen credit cards are used to not only set up fraudulent eBay IDs and sell items that don't exist, but also to register fraudulent domain names," he said. "Some of these domains are used as scam escrow sites -- to bilk large amounts of money from victims. Fraudulent escrow sites tend to target high-ticket items, so the scam can be very lucrative for the perpetrator -- and painful for the victim."

eBay , in a Dec. 6 warning to users in the announcements section of its site, says:

"Some members have reported attempts to gain access to their personal information through e-mail solicitations that are falsely made to appear as having come from eBay. These solicitations will often contain links to Web pages that will request that you sign in and submit information. At eBay, we identify these as 'spoofed' emails or Web sites.

"We encourage you to be very cautious of emails that ask you to submit personal information such as your credit card number or your eBay password," eBay said.

One of the latest spoof site links was offered up in a scam e-mail reportedly headed "Ebay (sic) billing error" and begins: "Dear Ebay Member, We at Ebay are sorry to inform you that we are having problems with the billing information of your account."

PayPal users also are often targets of such "fishing expedition" e-mails.

Occasionally the bad guys get nailed, though. Last week a Los Angeles man was charged with defrauding eBay buyers on six continents in what prosecutors called one of the largest Internet auctions scams uncovered to date.

Chris Chong Kim, 27, was charged with four counts of grand theft and 26 counts of holding a mock auction for allegedly failing to deliver the high-end computers and computer parts he sold on his eBay business site, Calvin Auctions, according to a Reuters report. The complaint listed losses of $453,000.

A recent industry report on the fraud problem predicts that crooks and deadbeats will create losses of an estimated $285 million over the holiday season in the United States.

In fact, online security company CyberSource , which came up with those numbers, said that fraud is expected to siphon off about 3 percent of overall online sales in 2002.

And as the shopping season is peaking, there has definitely been an uptick in fraud, said Ellen Silver, senior product manager for Risk Management at CyberSource.

"We've seen that growth throughout 2002," she said. "The percentage of fraud is correlated to the percentage of online growth, which is evident as merchants are implementing/utilizing more fraud tools yet fraud rates remain constant..."

Other estimates of fraud losses are even higher. Gartner Group analysts recently estimated that $160 million will be lost this holiday season to fraud and approximately $315 million will be lost in canceled sales due to suspect transactions, for a total loss of about $475 million.

Gartner's report also notes that missed sales opportunities cost online merchants two times more than losses from completed but fraudulent transactions.

"E-tailers report that fraud attacks are becoming more sophisticated, frequent, and menacing in nature," said Avivah Litan, vice president and research director for Gartner.

Indeed. Some of the scam e-mails to eBay users now threaten (falsely, of course) to cancel a customer's account if they don't go to the spoof Web site and cough up all their personal data.

So, what to do if you're new to online shopping, especially at an auction site?

William H. Schneid, a professional criminologist and director of special operations at Global Projects Ltd. in California, an investigative research and security company, had these suggestions:

"Check out out addresses (not P.O. Boxes); get telephone numbers AND call them."

"As in the L.A. fraud case ...the accused apparently sold enough and sent enough merchandise to build up a valid feedback rating ... don't be lulled into a false sense of security by feedback alone."

"Don't make large purchases by personal check or money order or cashier's check. Credit cards still offer the best protection," he said. "Even if they are abused, the card company carries the liability, not you."

On large purchases, such as an expensive car or something similar, Schneid even suggested going so far as to hire a local private investigator to check out the seller/buyer.

"It shouldn't cost you more than $100," he said, and it's cheap insurance "against hunting down the fraud suspect after he/she got away with your thousands of dollars."