Yes – this is the BIG ONE.  I would be remiss if I did not draw your attention to security matters as an online business person.  Few problems cost eBay users as much money (and heartache) as eBay or PayPal account hijacking and other serious (but avoidable) security breaches. 

The most insidious theft racket online today is an attack known as “phishing.”  Simply put, these are emails are sent by thieves to new or unwitting members.  The thieves create emails and websites that look identical to the actual websites we expect to see for eBay or PayPal improperly using the logso of the real sites.  Then they cleverly pose as eBay or PayPal requesting personal and financial information online (via email) from you.  (Please note: The most important thing you must know UP FRONT is that PayPal and eBay never need to get your information in this manner -- Yes, I said NEVER). 

Unfortunately, the sole intent of the phishing email is to provide fradulent links designed to hijack passwords and other sensitive personal data from you and/or your computer (to be used later by the thieves to plunder your accounts for money and/or fun).  Earlier statistics from 2005 showed that the phishing threat reached epidemic proportions and it continues!  In February 2005, there were no fewer than 13,141 unique (different) phishing e-mail messages supported by 2,625 separate fraudulent Web sites.  It has grown phenominally since then.  Why?  Because it works!!

Along with the insidious E-mail phishing attempts, additional fraud hot spots are fake escrow services, Wi-Fi network invasions and assaults on Paypal.  So, you can see, security is a huge issue for an eBay retailer, by association with two fo the biggest online retail enterprizes today. 

The best and most critical weapon we have in our arsenal as eBayers is situational awareness of the threat.  Keeping in mind, that knowledge is power, lets explore the threats and how we must deal with them...

Early phishing attacks were obvious fakes.  They were e-mails, initiated overseas in poor English, rife with spelling and syntax errors and poor, washed-out looking eBay logos — if there was a logo at all.  The recipient was warned, "if you do not update your account information within the next 48 hours, your eBay account will be closed." A blue hyperlink appeared at the bottom directing the prey to a Web site demanding passwords and other eBay account data, often including the request or demand for credit card and other personal information.   These crude attempts at account hijacking didn’t fool most seasoned eBayers, but they were successful enough with new folks to encourage the thieves to clean up their act and keep trying.  The spelling and sentence structure improved, copyright statements were added, and the eBay formatting and logos appeared realistic — causing even savvy eBay veterans to assume they could be real.  THEY ARE NOT.
.
Once eBay bought Paypal in 2002, the phishing attempts expanded to Paypal users.  The attacks then allowed thieves to hijack and clean out the unwitting Ebay seller's Paypal and sometimes master hackers could take it further to linked bank accounts.  The scam begins with warning e-mails similar to those I mentioned above.  The thieves tend to target sellers with good (but lower) feedback ratings and vendors who deal in high-ticket, high-demand, or high-end items, including electronics, jewelry, cars, and coins as well as rare expensive items (for obvious reasons).  Hacking eBay accounts, thieves, using photos from their victim's closed auctions, the thief resells the no longer available items to unsuspecting buyers (or to other bidders via a "second chance offer") to get ready fast cash out of the PayPal accounts before the site owner knows what is happening.  It adds insult to injury when thieves use the victim's Paypal account to pay for listing fees and photos to support the scam!

Another problem is money-laundering scams in which Paypal users receive emails offering a percentage of a sale if the overseas "seller" can use the victims US based Paypal account to transfer the funds.  While this constitutes money laundering (a Federal crime), the offer of a 25-to-50 percent cut for the use of the account is enough to tempt many Paypal users into participating.  That participation usually leaves the victim with an empty Paypal account and deep regret they got taken in, because the money orders or checks sent were frauds and they passerd on the funds as requested before the check or money order bpunced back as a fraud .

The most costly eBay fraud involves fake escrow services.  In a typical scam, the "seller" targets buyers on eBay Motors.  The thief offers popular and/or collectable vehicles at significantly below market prices (BMW's, Mercedes, Lexus, or Harley Davidsons etc.).  The interested buyer (and prospective victim) e-mails a question to the thief, who replies with a form e-mail (rarely using the buyer's name), suggesting an escrow service the thief has used "many times before." 

Of course, to further encourage the use of this particular service, the thief also offers extravagant perks to come with the sale of the vehicle to include free transcontinental shipping (which typically costs about $2,000 or more).  The e-mails often contain legitimate company logos of real escrow services and copyrights.  Payment options include Western Union cash transfers, direct electronic bank transfers or other deeply suspect online payment methods.  The thief sets up an anonymous Yahoo e-mail box, uses a throw-away cell phone for a contact phone number during the scam.  When it is over and the thief has your money, they dump the phone and email account and vanish with lots of the victim’s money.  Obviously the car, motorcycle, antique, jewery or art never arrives.  The buyer has no recourse because the transaction was not conducted with real protections of any kind.

The popularity of wireless data technology known as “Wi-Fi,” is rapidly altering the way people get online.  It provides remarkable convenience but also presents additional  hidden security problems along the way.  Using base stations or "routers," computer users link several computers to a wireless high-speed Internet connection.  Doing so  allows us to move around with "wireless" laptops and other mobile devices to work anywhere in the area.  Wi-Fi is so convenient that it can also connect your computers to printers and other devices wirelessly and it is deceptively easy to set it all up too.  Nonexistent at the turn of the millennium, Wi-Fi base stations are now in more than 10 million American homes.  Base stations are also available in many public places including hotels, libraries, coffee shops, fast food chains, and college campuses.  In some cases, an entire area of a city or a complete town is covered in a wireless "zone" or "grid" allowing those with wireless enabled laptops to go online anywhere inside the grid.

Sadly, along with the convenience of Wi-Fi, comes the thieves' newest scam.  Several years ago, the U.S. Secret Service completed an investigation that lead to the arrest of 30 international on-line thieves.  Of the 30 culprits, half regularly used open Wi-Fi connections (usually belonging to their unsuspecting neighbors) to do their deeds. 

The typical range of a Wi-Fi connection signal is about 200 feet.  However, newer antennas and amplifiers can extend the service (and the hijacker's reach) up to a quarter of a mile from the base station (router). 

While some public locations charge fees or require registration to use their Wi-Fi (making users traceable), others leave their networks wide open, and untended, 24/7.  When there is an open network in your home, thieves have access to anything on your computer and will "sniff" it with hacking programs looking for passwords and other sensitive data.  In fact, some hacking hobbiests spend all their time sniffing for information they then sell onward to identity thieves.  Once your network is found, thieves will use the stolen data to empty or hijack accounts, hold false auctions and run other scams across the Internet.  The good news is that Wi-Fi routers do include built-in preventive measures that secure the systems from hijackers right out of the box.  The bad news is that most home users (and many public places) do not bother to use the safeguards provided.

These four attack opportunities provide a wide range of options for criminals to turn the access they steal into an eBayer's worst nightmare.  Additionally, the entire growth of these problems online now threatens the reputation and continued success of the online auctions in general.  eBay, as the largest on-line retailer, is particularly vulnerable until all users take the time to learn and become wiser in order to protect ourselves.  So, we should not only pay close attention to our own computer security, but never miss an opportunity to educate others.

Now we know what the threats are --what should we do about them?  First and most importantly, buy and use a virus protection program.  I use McAfee but have used Norton in the past.  eBay has introduced several important measures to protect its customers, including helping them to identify fraudulent Web sites and to filter illegitimate email and spam out of the system.  As with any tool, the trick is to get sellers and buyers to use them BEFORE there is a problem.

When phishing e-mails began, eBay sent out warnings to all its customers advising that the company never asks for sensitive information via e-mail (see paragrah 1 of this guide).  They also encouraged customers who received possibly fraudulent emails, to forward them to the spoof site at eBay.com (there is also a site for PayPal Spoofs at PayPal.com now too).  The site generates a return email with warnings and advice on what to do if you have already clicked a link. Since new users may not know about phishers and forwarding phisher emails for identification, new folks often remain very vulnerable to the first attack.

Today, eBay also offers all Windows-based computer users a free eBay toolbar designed to detect and alert the owner when he or she is about to click on a fraudulent Web site.  Ebay has also provided a tool to manage the problem of legitimate eBay e-mail being blocked by spam filtering software.  It achieved this by integrating its own internal email system called “My Messages” onto the eBay site.  This assures that the email inside eBay is legitimate because it is duplicated on the recipients' "My eBay" page, which is only available after logging on to the eBay site. So email in your regular email box that looks like it is from eBay is NOT REAL unless it also apprears inside eBay in "My Messages."

Strangely, the single vulnerability surrounding these very good security measures is that too few people use them and they are FREE!   It is estimated that only 10 to 15 percent of eBay’s customers have downloaded the toolbar software.  The same or fewer customers understand the value of the "My Messages" page within eBay and the need to use it to check possible fraudulent emails before opening them.    Further, eBay will alert you with alerts inside of eBay NOT elsewhere to help you know when eBay has tried to contact you about any issue.

Sadly, many also do not understand the importance of forwarding spoof e-mails to eBay as a first step in catching the thieves in action.  With a staff of over 800 people devoted to online security, eBay is understandably one of the most aggressive companies in pursuit of online thieves.  Unfortunately, if phishers are not reported, there is no way for eBay or PayPal security to track them down and to warn customers they are fraudulent.  Even if you pass it buy they will go on to get someone and you could have reported them.  It is always a sad event to be ripped off and we all can do something about it.   It only takes one trip through identity theft hell to know it truly is a long hard humiliating hell that one often lives in for years.  It is a hard way to finally learn what we should have learned FIRST and taken steps before the incident. 

The first and surest rule of self-preservation on eBay, and its related sites, is to always suspect emails with hyperlinks.  Never, ever click on a hyperlink in an eBay or PayPal e-mail.  Once you do this with a spoof mail, the hijacker can, at the very least, harvest your e-mail address and you will be a constant target of scam activity.  If you fill in the fields requesting passwords and other sensitive data on a fraudulent Web site, your account, (and possibly your identity), may be hijacked.  If the email is loaded with a password sniffer program it will record and email your keystrokes next time you log in to a thief while you are totally unaware it is happening.

A safe alternative for people with spam-filtering or account problems, (or who simply must read all email), is to log into eBay and go to the "My eBay" link at the top of any auction page.  Selecting the "My Messages" link on the left sidebar leads to all legitimate e-mails sent by eBay and eBay members.  The messages can be deleted so you can clean out the inbox. While this process does not offer the instant gratification necessary for the dangerously over curious, it is the safest means of reading everything eBay sends and avoiding thieves.

As mentioned above, eBay now offers Windows users a free toolbar that flashes a warning when your browser is pointed towards a fraudulent Web site. (when you mouse overt a fraudulent link it alerts by changing colors).  The program, called "Web Caller ID," uses a behavioral detection mode that checks Web sites for long and/or convoluted URLs or recently registered domains, two signs of computer accounts designed to be hidden).  When catching a spoof site, the tool blocks a user's browser from that site automatically.  This is particularly helpful if we can't control our curiosity or are new to this brave new world technology. 

To download the toolbar, go to the 'Services' link at the top of any eBay auction page, scroll down in "Tools" to "eBay Downloads."  This toolbar also links your desktop to the eBay site and can be used for searches on the site.

Unfortunately, PayPal phishing is nearly as prevalent as the phishing targeting eBayers.  Since PayPal accounts are usually linked to bank accounts, the stakes can be much higher.  A hijacked PayPal account can make your money or goods disappear instantly, with little or no chance of recovery.  While PayPal does offer up to a $500 fraud refund to "qualified buyers," it must be noted that an ounce of prevention will likely save you from a very frightening and deeply unpleasant experience.

There is more to come -- Please see Part 3 of this series on owning and operating an eBay store...Want to know more?  Visit my otherb teaching guides for great, easy to follow instructions on many different aspects of buying selling and safety on eBay.  Please drop by my auctions (Pepper120851) for uncommon bargains daily.  Take a peek at my store "The Write Place" where there is always a SALE going on everyday because YOU name the price you pay for everything you find there!  I also offer the best combined shipping on eBay -- only $1.00 for each additional item.  Check out my return policy and feedback -- you CAN bid with confidence

Pepper120851