Today, I received this message:
Oh, no, I thought like good little phishbait. I didn’t even bid on that.
But instead of clicking through on the e-mail, I go to ebay.com and search for the item.
Well, low and behold, the item number in question was an actual item and it was offered by the seller mentioned in the phish e-mail:
Of course, it’s still obviously a phish because:
- That’s not the e-mail address tied to my eBay account.
- The e-mail lacks most eBay header/footer details.
- The message headers indicate it came from somewhere besides eBay.
- The auction that I was “delinquent” for hadn’t ended by the time I received an e-mail.
But still, the sophistication of this particular phish is remarkable. It scrapes an actual auction off of the eBay site before or at the time of mailing to make it seem more authentic.
I’m almost afraid enough to vow to never click a link in an e-mail again, but I’d probably get fired.