Spoof Me Once, Spoof Me Twice
Article by Rick Leinecker, May 3, 2007

My friend John told me about several troubling emails he had gotten. I know from my own experience that some emails are disturbing. I'm referring to the ones that tell you things such as "there was an additional email address added to your PayPal account". Some are from irate eBay sellers who say they haven't been paid. Or you might get one from your bank who tells you that there has been a security breach of some sort. And the list of these types of emails goes on for quite awhile.

These upsetting emails are known as spoof emails. They look exactly like the real thing, but they are phonies. The senders have spent many hours counterfeiting the look and feel of the emails that PayPal, eBay, or your bank might send out. But if you look underneath the fašade you can see the source address, which is something other than the address of the legitimate sender. The problem, though, is that most people don't know how to examine an email's true source address. And even if you knew how to check, it takes more time than most people are willing to take.

What the spoofers are hoping is that you'll be upset enough that you'll throw caution to the wind. If you click on the login button from within these phony emails, and then enter your login information, the imitators will have your login information. That's because instead of logging in to PayPal, eBay, or your bank, you're simply sending your information to some unknown server at the other end who is masquerading as the genuine entity.

You're probably asking how you can tell the difference between the real thing and a fake. The answer is that you don't need to know the difference if you observe a simple rule when responding to these emails. The rule is this: never respond through the email that you received, but go directly to the Web site. For instance, if you get a message from PayPal, don't click on any buttons or links within the email. Instead, open a browser (such as Internet Explorer or FireFox) and go to the PayPal Web site. And of course, the same precaution applies to eBay, Amazon, your bank, and any similar entities.

The spoofers get your email in a variety of ways. If you sell items on eBay they simply get your eBay user name from the auction and your email from your profile. For the PayPal scam they sometimes use a system of smart email name guessing, or they scrape your email address from a Web site where it's mentioned. There are quite a few ways that your email address can be obtained.

Make sure you don't fall victim to these spoof emails. If they get your eBay login information, then they can buy and sell items with your account and you are responsible for the costs. With your PayPal login information they can empty your account in a matter of minutes.

Those are the basics of spoof emails.