Another scam?

Any personal email from PayPal specifically addressed to you will
address you by your name, not by your email address. If in any doubt
at all, forward the email to spoof@paypal.com or spoof@paypal.co.uk
for those of us in the UK (there are similar addresses for other
countries I think). Do NOT ever click on the link unless PayPal reply
that it is OK. They usually reply to me on the same day.

Exercise the same caution with messages from EBay (spoof@ebay.com or
spoof@ebay.co.uk).

I recently received an email purporting to be from EBay supposedly
highlighting a particular item as a special promotion. I was
dubious, so rather than click on the link in the email, I noted the
item number and looked it up directly on EBay. I was curious to find
out if this was a new EBay promotional tool or a scam. The auction in
question had actually ended some 2 months previously, and the item
had in fact been sold. I’m sure a lot of people were caught by that
one.

Pat

Ettagale…

Welcome to the newest cyber “sport”…It’s called “phishing”…
Bogus notification messages that urge you to click a link and update
your info or your account will be restricted/terminated/modified
etc.

NEVER CLICK ON THAT LINK

EBAY, Paypal, the various banks and CC companies do not send out
these kind of messages for personal to be supplied via an
embedded link… Phishers do…

If you do so and provide the requisite you’re setting
yourself up for identity theft…

Even if it does not appear to work, the site you hit can infect your
machine with a virus, adware, or keystroke logger, or some kind of
other malware…

The thing to do if you feel the message might be legit, open up a
new browser and go to official website the normal way you would, to
check it out…

Sinced you clicked on the link and it didn’t seem to work, now might
be a good time to do a virus scan and use something like Adaware
and/or Spybot Search and Destroy (both probably) to check your system
out…

Better to be safe than sorry…

Gary W. Bourbonais
A.J.P. (GIA)

This scam is called “phishing”. Do a Clusty or Google search and
read about it. The ‘phishers’ have been getting about a 5 percent
response to their scam. Amounts to a lot of idendity theft. Ebay has
stopped sending any email to members and is now using an Intranet
email system where users have to be logged in to their account to
get any email messages from Ebay.

Thanks to all who wrote about the PayPal scam. Fortunately I had not
clicked on the link – thanks to AOL, I cannot click on links even
when I want to – and when I typed in the PayPal address, I was led
to the real site. That’s where I sent my query about this.

I have a virus scan plus Spybot on my computer and do run them
regularly. It’s difficult to think of the computer as another
"front door" but that’s exactly what it is and you just have to keep
locking up that front door against all the crooks, scammers, thieves
and just plain weirdos out that who have nothing better to do with
their time than to try to hack into your computer.

Ettagale

Ettagale and all,

My husband recently received a pseudo-PayPal spoof e-mail very much
like the one you described. This one was loaded with lots of
graphics stolen from the PayPal site - it looked very slick and
professional and “real.” It, too, directed the recipient to a website
(which looked just like PayPal’s) and asked for such as
your SS#, your credit card number, and your PIN. (PayPal will never
ask for your PIN.)

The dead giveaway was that the e-mail was sent to my husband’s work
e-mail address, while his PayPal account is through his personal
address. There’s no way PayPal would ever have even had his work
e-mail. Also, the e-mail did not address him by his first and last
name (e.g., “Dear John Doe,”), as PayPal’s e-mails always do.
Finally, when PayPal has any sort of business to conduct specifically
regarding your account, the message is delivered in plain text with
no graphics.

Shortly after this incident, which was reported through the link on
PayPal’s site, several of my husband’s co-workers received the same
spoof.

Heads up, y’all, and bear a wary eye. Somebody out there is up to no
good.

Jessee Smith
www.silverspotstudio.com

My husband recently received a pseudo-PayPal spoof e-mail very much
like the one you described. This one was loaded with lots of
graphics stolen from the PayPal site - it looked very slick and
professional and “real.” It, too, directed the recipient to a website
(which looked just like PayPal’s) and asked for such as
your SS#, your credit card number, and your PIN. (PayPal will never
ask for your PIN.)

If you’re working with a good firewall correctly configured, it
sometimes can be safe to at least look. Just make sure you’ve set the
firewall to deny any outbound identifying to be
transmitted. Zone Alarm is good this way. others may be too. If
you’re NOT working with such protection, it’s best to never even look
at these sites, especially if you use Internet Explorer. The new
firefox browser is a lot safer in this regard.

But anyway, looking closely at these phishing sites, one notices one
reason why so many of the features closely mimic a paypal page. The
reason is that most of the page is actually code copied from a paypal
page, and all of the little links to other features of paypal will
actually take you to that feature on paypal. Only the main page of
the phishing scheme is fake. You can see it by observing the URL
line in your browser. The link in the scam email which you clicked
looked like a paypal URL, but the real link it takes you to is not a
paypal site. most likely, it’s been rigged to look almost like
paypal, but a close look will show that while paypal’s sites start
with something like http://www.paypal.com/… with the dots after
that backslash being the details of where on the silte you’re going,
the fake ones will have something between the www and the paypal.
often it’s just a couple letters or numbers, and then a dot. That
little detail is the key. As the first item in the URL, THAT little
sequence is the address of the actual server. On paypal’s site, it’s
always the paypal server. The fakes may make it look almost the
same, but a close look at the URL line in your browser shows the
real address of the site. But click on any link, like privacy policy,
or other parts of the paypal site shown as links on the page, and
they indeed work, then showing you that they indeed are on the paypal
servers. All in all, the schemers/scammers do it VERY slickly. You
need to be very on your toes with such things.

The bottom line is simple. There are virtually NO merchants, banks,
or any services that give you any sort of account, that will ever
send you an email requesting that you update or give
them any verification, and that will also then give you a link in the
email. The very few times that such an email might get sent, it will
simply be a notification of some event in your account that requires
your attention. it will tell you the organization. It will assume
you know how to get there by typing in the URL yourself, or using
your bookmarks, or something. The difference is that then YOU go to
the organization. They don’t direct you. Any email that gives you a
link to click to take you where THEY direct, can be fooling you.
Remember that with HTML coding, a link you see to click is only a
label. The actual URL you’re clicking on is hidden in the code of the
HTML. This is to allow a link to be a text label, even if the link is
simply a numeric URL or other long stuff. The URL shown in your
browser window is accurate, but sometimes these take careful reading
to be sure of where you are. And remember too, that with Java script
and other such methods, a page can, without your direct knowledge,
communicate with the remote site. Windows continues to be full of
holes that, no matter how fast microsoft plugs them, allows HTML
pages to potentially transmit sensative info, or accept cookies and
other programs that then run on your computer. Spyware, viruses, data
loggers, and all those nasties, seldom if ever announce their
arrival, but in general, they get to your computer when you go to the
site that’s distributing them… Once you go to a site, even if you
don’t fill in the forms, if you’re not behind a good firewall, and
it’s not set correctly, you can have given the bad guys what they
want. So be careful. Screen your email carefully before replying or
clicking on anything in an email, even if you think you know who it’s
from and what it is. The bad guys have many legitimate email
addresses too, including, for example, a couple of mine. Some folks
get email messages with my email address as the from address, which
contain virus infections and the like. Trust me. I didn’t send these,
and neither did my computer. People who don’t carefully screen their
email could be fooled.

One trick that will help with email, by the way, is to use an email
program that does not have the ability to directly run any code.
Generally this means turning off the ability to read HTML formatted
email, or using an email client that does not have HTML capability
built in. It’s one of the main reasons I use 46orte Agent as my mail
reader. When I get an email in HTML code, I dont’ see the formatted
page. I see either a little icon showing me that it’s an HTML page,
and to read it I have to click it, or I can alternatively look at the
raw message, the actual text of the HTML page (the code). Either
way, this is safe to do. Nothing runs, nothing gets loaded, nothing
can infect. I can look at suspect email headers to see who it’s from
(not the “from” header. The real headers along with it). Or I can
look at the HTML code to see what the message might be about. You
know, the interesting thing about this is that only two types of
messages seem to come in only HTML form. Most legitimate emails
from individuals come in either plain text (which is safe to read),
or in dual format, so that there is the HTML portion represented by
that icon, but then a plain text version, so I can know what the
thing is about. The only things I’ve seen that commonly come as ONLY
HTML are spams, nasty stuff like virus infected messages and a few
newsletters from organizations who’s online publications need the
graphic capabilities of HTML. And there are not many of those.

Agent will, of course, still not prevent you from getting into
trouble. You can still click a URL and go somewhere you should not,
from a nasty phishing email. But you have to make the error in
judgement. Nothing is automatic. Take the time to know what you’re
replying to before doing so, and you stay safe.

cheers
Peter Rowe

Hi all,

I have just received in the past few weeks 2 suspicious orders to my
site. Both were made purchasing items with a credit card
withbilling and shipping addresses in the US. The English used in
the correspondance is a little shaky and the IP address of the
computers the orders were made from were both in Amsterdam and both
wanted the items sent very quickly. And both were moderate size
orders - not huge like the Nigerian ones.

The first one, after I emailed saying I could not make and ship the
item out by the date they wanted it (they said they were leaving the
country), asked what date it would be shipped and specifically
wanted a Fedex # to track it. The spelling of the last name in the
email was slightly different than the billing info, so I looked up
the persons name in an online phone directory. I did find a phone #
for that person in the same area as the billing address and called.
Turns out the person never made the order, does not own a credit
card with the last 4 digits as the one I had, knows of no others in
his area with the same name, but the shippping/billing address is
the same as his work address. He is now looking into the possibility
of his identity being stolen.

Now I have a 2nd order wanting an item impossibly quick, using
European dates, and made from a computer in Amsterdam using US
shipping and billing addresses.

Has anyone received an order like this or know what this is all
about? I have not been able to find any info on it on any internet
sites.

Thanks,
Jill
http://www.jjewelry.com

Hi Jill, I would be cautious about sending anything to Europe. You
are very smart to check those card holders.

I have been selling items on Ebay, and have learned to take a payment
only through Paypal. They do all that research for you. You end up
with no fraud problems. They will research the card holder’s address
and phone number. All you have to do is ship only to the Paypal
confirmed address and have anything over $200.00 signed for. If the
item was paid for with a fraudulent card, and you shipped to the
confirmed address, then Paypal will protect you from fraud. Its the
only way I go now. The Paypal fee is well worth it to me.

I sometimes get customers who want me to ship to a different address
than what is on the card. I won’t do it. Otherwise they can say that
you never sent it to them. That it was delivered to someone else,
again you loose.

Just my experience

Janet Alexander
Alexander Designs
www.ornettes.com
Janet Alexander
972-724-8405
www.ornettes.com

I would be cautious about sending anything to Europe. You are very
smart to check those card holders. 

Hello Janet,

While I certainly agree that caution is called for in all credit card
transactions I’d respectfully suggest that there a number of reasons
to be a little more open-minded regarding European customers.

For one the position of the US dollar vs the Euro makes US suppliers
very attractive to European customers. This is doubly true when you
consider that European suppliers are often as much as a year or two
behind their American competitors in terms of supply of new or
recently developed products. I know that a number of very well
placed people in the industry here in Europe who are simply telling
their clients to order stateside for such products because it’s too
expensive or too slow to get them in Europe.

I agree with you that PayPal is a great way to go for handling
offshore purchases. Personally I wish more vendors would take PayPal
seriously because it really can make the life of customers, like me,
much simpler. However I would caution you about applying the
“confirmed address” rule too stridently. Last time I checked non-US
addresses could not be confirmed unless the PayPal member provided a
bank account to back it up REGARDLESS of whether they ever intended
to use that bank account to do their PayPal business or not.
Personally I like to keep my financial details to myself unless there
are compelling reasons to do otherwise. All this to say that there
may be very good reasons why a PayPal member does not have a confirmed
address.

Finally there’s the question of the difference between one’s credit
card address and one’s shipping address. I think you’ll find that
this is the norm for most ex-pats, not the exception. In Paris alone,
for example, there are approximately 100,000 ex-pat Americans and
Canadians, most of whom keep close ties to their country of origin
including their credit cards. I know, I am one of them. While it is
of course only prudent for vendors to proceed with caution in such
cases because of the possibility of fraud I think a key part of that
statement is “proceed”. To simply refuse those customers is
exceptionally inconvenient for them and needlessly limiting for the
vendors. For example my bank back home knows that I am here in Europe
and I’m happy to provide a contact person at the bank who would
confirm both my home/credit card and European addresses should a
vendor request it.

I guess my point is that we live in a global economy now whether we
like it or not. On the upside that means there are a lot of potential
customers out there and many of them are just a browser visit away.
On the downside things get a little more complicated and caution is
the order of the day on international orders. I do a fair amount of
business with stateside suppliers and as long as I’m willing to let
them do what they need to do to feel comfortable about the
transaction it usually works out well for us both.

Cheers,
Trevor F.

    While I certainly agree that caution is called for in all
credit card transactions I'd respectfully suggest that there a
number of reasons to be a little more open-minded regarding
European customers. 

Can anyone suggest resources for learning more about these issues?

Anyone else ship internationally? How do you have a reasonable
policy that includes some countries but not others (known for
scams)?

Thanks.
Elaine
Elaine Luther
Metalsmith, Certified PMC Instructor
http://www.CreativeTextureTools.com
Hard to Find Tools for Metal Clay

Anyone else ship internationally? How do you have a reasonable
policy that includes some countries but not others (known for
scams)? 

Hello Elaine,

I don’t know if this answers your question really but I have
purchased gear and goods from several US-based Orchid members and/or
their companies since I’ve been here in Europe. Rio, Gesswein, SFJS,
Otto Frei, Beth at MyUniqueSolutions.com, Ed at KashmirBlue, etc.

Nobody really seemed to have a problem with the process as long as I
wasn’t in a big rush. I’ll bet that any one of them would be able to
provide further info if asked.

As to the “good country/bad country” thing I’d say it comes down to
what you hear and what you believe. I ran into a couple of folks who
refused to do business with French customers, or Italian or whomever.
They said “stuff shipped to Europe gets stolen more often than it
gets delivered.” Well, if I had to I could probably produce about 100
or more invoices for stuff I’ve had shipped to me from Canada or the
US and I’ve only ever had one package go AWOL (and that was somewhat
mis-addressed) and a book. Let’s call that a 2% failure fate. That’s
a darn sight better than when I used to order things back home
(Canada) and nobody ever says they won’t ship there.

My guess is that yes, it might take a little more effort than simply
selling and shipping within North America but it’s not a show-stopper
either.

Cheers,
Trevor F.

Hello Trevor,

I’m glad you came to the defense of us “honest” people living in
Europe!

Could you tell me what are your experiences are with shipping costs
and/or duty? I regularly order at Rio but I always try to make it
coincide with a visit to the US (which is not always convenient).
You may write to me directly at @Savineau_Linda

Greetings,
Linda

Be aware

Bogus e-mails from ebay and others are nothing new. They want you to
re-enter your personal data etc to get your creditcard A
new and more sophisticated trick is being implemented.

Please make sure you know whom you are dealing with when ordering on
the internet:

www.newscientist.com/article.ns?id=dn7299&feedId=online-news_rss20

Alain

Another twist on the Nigerian scam

To Fellow Orchidians:

One more Nigerian scam for people to look out for: scammers using IP
relay/relay operators for the deaf. I’ve received quite a few scam
email requests for jewelry in the past couple of years, but received
my first request via relay operator this morning (at 6:45 a.m. Alaska
time, I might add!). As usual, they wanted expensive bracelets,
wanted them immediately, and didn’t want to pay by check. What will
they think of next?

Susan R. Serna
Flor de la Luna
Hand Fabricated Jewelry in Silver and Gold
http://www.flordelaluna.com

Another scam for people to look out for is the “trade show guide” I
think it’s called. I do wholesale trade shows, and I guess they got
my name from the directories. Some company (I forget where) is
sending out letters that say sign up for your free listing in our
trade show guide… At the top it says it’s in conjunction with a
particular trade show, LA Gift, Buyers Market of American Craft,
etc… but at the bottom in very small print it says that you will
be billed $480 per year for this “free service”. I’ve been told that
it’s a binding contract and to be careful and always read the fine
print.

It’s a scary word!
Amery

This one is because those relay calls are FREE. The Relay service is
being abused quite badly because of it.

Elizabeth Schechter
RFX Studios

Relay calls are not free. If you check your phone bill you will see
where we are charged each month for the “free” service. I have gotten
numerous calls, all but one were bogus.

Janine in Redding, CA

This has been going on for several years… I got hit with it two
years ago, and luckily the credit card wouldn’t go through so I was
saved from a big loss. The thing that makes me mad is that because of
the “rules” of the relay service they are only allowed to repeat
what the caller is saying. They can’t warn you that this may be
fraud. Another case of rules over common sense.

Kerry CeltCraft Beads & Jewelry

Hi Cindy,

I know exactly how you feel! Last week, I got a series of emails from
someone claiming to be from Indonesia, who gave me a song and dance
about how he’d be willing to pay “a little extra” on his credit card
for a 2.595 ct Burmese Ruby I’d shown on my site, if I’d be willing
to FedEx the stone to him. I explained that I’d be more than happy to
send it to him via Registered Mail (ostensibly to protect him, of
course!), just as soon as his certified check, drawn from his local
branch of a verifiable US bank, had been cleared by both my bank and
his. Hmmm… gee whiz… somehow, he just seemed to lose interest,
after that {;o) !

Douglas Turet, G.J.,
Turet Design
P.O. Box 242
Avon, MA 02322-0242
(508) 586-5690
doug (at) turetdesign.com

I received a marketing call from an organization (name not found on
caller ID) that passed themselves off as Discover. Some kind of
technical support for $49 a month. I tried to decline but I have the
feeling they will try to automatically bill me for services anyway
thru my discover merchant account, since they said its up to me to
cancel a service I didn’t want in the first place. I called the REAL
Discover and they gave me a phone number that was supposedly this
first company. I called and they said its not them, that someone else
is doing telemarketing using their name. So… we have someone
pretending to be someone else pretending to be Discover.

Confused? I am. But I smell a rat.

So keep an eye on your Discover Monthly Statements, as the REAL
Discover said they have no problem deducting from my account on the
say-so of this ‘other party’, that the onus is on me to clear things
up.

If you have a merchant account your terminal technical support
should be included in your merchant processing agreement (one would
hope) so why pay someone else for what you get for free?

Just thought I should pass that along.

Not to be paranoid or anything.