It would be difficult to find someone with an email account who has not received a phishing email.  This dangerous form of identity theft has become increasingly sophisticated and widespread.  My research indicates that PayPal is by far the number one phishing target and eBay is number two.

In this guide, I’ll walk you through some of the common phishing defenses, plus a few that you probably have not though of.  This guide deals with emails that appear legitimate, but have links to web sites that steal personal information.  Phishing comes in other forms such as phone calls and instant messaging, but we’ll stick with the more common email phishing in this guide.

Remember, with the sophistication of phishing attacks, you need layers of protection.  Don’t rely on just one thing to protect you!

For the purposes of this guide, I’ll assume that you will break rule #1 below.  Don’t dismiss this off-hand, people who are VERY experienced with the internet have been tricked by a phishing email.

1. Never, ever, ever click on a link in an email!  This is obvious, but again, many smart internet-savvy people have been tricked.  Also, it may not be easy if you are in the habit of clicking on links in email, and it more convenient than typing the web address into your browser.
   
   More importantly, NEVER fill out a form embedded in an email!  Do you really think that PayPal needs your password in an email form?  Certainly, there are more devious and unexpected methods, so just say NO to email forms of ANY type!
   
   
2. A few tips to not break #1 above:
   
   
   • Don’t assume that because an email appears to be from a trusted organization or person that it is not a phishing attempt.  It is very easy to fake an email address.
   • See that link in the email?  Just hover over it with your mouse for a second or two.  The real link should appear.  While the visible link may look legitimate, it could actually be taking you somewhere completely different.  Even when you look at the link, it may have the words “eBay” or “PayPal” in it and still be a phishing attempt!  This works with most email programs.
   • Any web site that is asking for important personal information should be secure.  Look for the “https://www…” (with an “s”) rather than “http://www…” (without an “s”) in the address bar.  “https” indicates a site using encryption, which is generally not the case with a phishing site.
   • Immediate action required: We frequently receive emails that legitimately require urgent action, but this is a good sign of phishing.  The hacker needs you to act quickly before they are discovered.
   • Threat: account suspension, bad feedback, etc. are frequent tactics by phishers.  If you’re worried, open your browser and log in through the home page of the account provider rather than using the email link!  You also may be led to believe that the only way to resolve the “issue” is to click the email link.  Think about it, if PayPal is suspending your account, don’t you think that if you go to your account through the PayPal homepage (rather than the email link), that they would have a big message alerting you?
   • ANY WEB PAGE that requests personal information of any type from an email is suspect!
     
     
3. Anti-Phishing Toolbars
   
   • eBay phishing filter: Get the eBay toolbar for your browser.  This is good basic protection for eBay and PayPal phishing attempts.  You can get it here:
              http://pages.ebay.com/ebay_toolbar/
     Unfortunately, it only works with Internet Explorer (IE), so it won’t help you if you use Firefox or another browser.
   • Microsoft also has an anti-phishing toolbar.  Obviously, this is also an IE solution only.
   • Earthlink has a toolbar available to anyone (not just subscribers).  It’s easy to use and provides good verification of trusted sites.  Plus, it is available for both IE and Firefox!
     
     
4. OpenDNS – I love this.  I can’t put links outside of ebay here, but it’s easy to find using any search engine.
   Here are the basics on OpenDNS:  The internet does not understand the web site address typed into your browser.  That address must be translated into the real address, which is numeric.  This is done by sending the words, i.e. www.ebay.com, to a DNS (Domain Name Service) server that redirects you to the IP (numeric) internet address of the site you want.  Typically, you use your ISP’s DNS, but you can easily change it to the free OpenDNS service which has many benefits.
   
   OpenDNS, when active on your PC, will block website in their database that are known phishers.  I changed the DNS settings on my router to make sure that all my computers are protected with it, but it is more typically done at the PC level.
   
   I won’t go into the details of how to use this service, as they probably do a better job on their web site than I can here.  It’s pretty simple, hassle-free, and has other benefits (such as being faster than my ISP’s DNS server).
   
   
5. Only use the “My Messages” eBay email system for auction related communication.  There’s a number of reasons to do this, phishing is one of them.
   
   
6. Regularly log in to your accounts.  If you’re not keeping track of your eBay and PayPal accounts, you don’t know what’s going on with them
   
   
7. Always report suspicious emails to spoof@ebay.com.  Just forward the email to them.  It only takes a second, and helps the rest of us stay safe.
   
   
8. Never use the same password for different accounts.  Is the password for your eBay account the same as the one from PayPal?  If so, what do you think would happen if a phisher gets a hold of one or the other?  That’s right, access to both accounts.
   
   Different passwords can be a pain, so get yourself a good password manager that securely saves all your different passwords.  I use one that installs on my PCs and on a USB flash drive so I can easily use any PC to log in to my accounts.  The only password I have to remember is the one “master” password for the management program.
   
   Not directly related to phishing: Use a secure password.  My password management program will generate random letter/number/symbol passwords such as “O1Ubk1$J@ndCPl5O9*G$#7” which has a bit strength of 132.  It would take years for the most powerful computers in the world to successfully attack a password this strong.  Since I use a password manager, I don’t care that I can’t remember it.
   
   I use Roboform to do everything in this tip, but there are other options out there.  I am not affiliated with Roboform in any way.
   
   
9. Change your passwords.  Don’t be using the same password for years and years.  I change mine every 1 – 3 months depending on the security I feel is needed.
   
   
10. Keep your browser and email software up to date!  The latest version of Internet Explorer and Firefox have built in phishing protection, take advantage of it.  Note that phishing protection may not be turned on by default in IE!
    
    
11. Keep up to date, visit the phishing help pages here on eBay and on PayPal from time to time.
    

I hope that you found a couple of useful ideas in these tips.  If you did, please click the YES button below.  This will help the guide become more visible to other ebay users.  The more people who know how to protect themselves against phishing, the more safe we all are!