eBay and an email scam

  • Published
  • comments
computer keyboard showing the words "scam"Image source, Thinkstock

What's the biggest problem holding back the development of online commerce? Surely it is the fact that fraud continues to undermine confidence.

Online fraud, often conducted via phishing emails, seems to be on the rise - and in the last month or so I've had personal experience of how sophisticated the fraudsters can be.

The latest example involved eBay, which has been fighting a long and only partially successful campaign against fraudsters who have damaged the reputation of the auction site as a safe place to do business. For several years now I have been running an annual auction of gadgets in aid of the BBC's Children in Need appeal.

The gadgets are review units supplied by some of the big names in tech, and they fetch some good prices. This year one of the products was the new Blackberry Passport smartphone, and I was delighted to see that, after an intense bidding battle, it went for £410.

Then the winner contacted me to ask for my PayPal details and some further photos of the item. This seemed mildly curious - other winners just clicked and paid - so I had a closer look at the buyer.

Image caption,

The fake email sent to Rory

He was called Tommy, gave an address in London which I couldn't find on a map and had only joined eBay the day before making the bid. I sent him a message requesting payment but also forwarded his message to eBay to see if there were grounds for concern.

To its credit, the auction site immediately advised me to hold off sending the item, even if paid, because the buyer did indeed look suspicious. Then overnight came a flurry of messages, from Tommy himself and from PayPal. "Dear Rory Cellan-Jones," said one of the PayPal messages, "You've received a payment of £485.00 GBP…"

Tommy had emailed to explain that he had added £75 to the bill to cover the cost of posting the item "to my Nephew in Nigeria cos will be going there to visit him due to family reasons".

Meanwhile, another email arrived from eBay warning me that the auction had been cancelled because Tommy's account no longer existed and he was a "suspicious buyer".

Now that was already obvious to me, but if he had not wanted the item posted to Nigeria I might have been taken in by the very convincing emails from Paypal - which on closer examination turned out to come from a dodgy address ending @mail.com.

I decided to contact Tommy, and asked him to send me a phone number so that I could "just sort out a few details" before sending the item. I eventually got through, external and at first, when I suggested to him that the PayPal emails were fake, and he was probably a fraudster he insisted that was a lie. But when I pointed out that the London address he had first given did not exist he put the phone down.

Tommy's scam - buying items on eBay and then convincing sellers that he has paid for them - may work some of the time. But only if the sellers do not examine those PayPal emails quite carefully enough.

And there are plenty of similar scams depending on very convincing faked emails. Just last month, my elderly father received an email from Amazon telling him his account had been accessed from Romania, and if that was not him he would need to download some software and then change his password.

Media caption,

Rory's conversation with "Tommy Lee"

At about the same time, my wife got a message from Apple warning her that her Apple ID had been frozen "as a protective measure to safeguard your iCloud Account from unauthorised access." This time there was a link to click to "certify" her account.

Neither of them fell for these ruses which would have led to identity theft and perhaps to malware being installed on their computers. But my father was only saved, because he found the instructions in the email too complex to follow.

Recent figures from the National Fraud Intelligence Bureau showed that £670 million was lost to online fraud over the last year. But that was almost certainly an underestimate as surveys also showed that only a minority of victims end up reporting frauds to the police.

We all need to be aware of the dangers from phishing emails, but some of the advice is confusing, Never click on a link in an email, we are told - but every month I get a bill from my broadband provider with a link to click on. And should our email programs not be better at spotting phishing messages by now, by cross checking addresses with those of known senders? Perhaps everyone, from online shoppers to the big web businesses and the law enforcement agencies, needs to up their game in the battle against the fraudsters.