Updated: February 26, 2021 06:48 PM
Created: February 26, 2021 06:00 PM
ROCHESTER, N.Y. (WHEC) — It was a scam so elaborate that it took me weeks to unwind the thieves' ingenious plan.
Thursday, I brought you the story of Amanda Thompson, a Henrietta resident. Thompson is smart, observant and comfortable navigating eBay’s online marketplace. But she was entrapped in a scam that could have victimized anyone. And when I contacted eBay, they said they had addressed the problem and kicked the thief off the platform. But when I started digging, you won't believe what I found.
Amanda Thompson contacted me after someone hacked into her eBay account and bought products. And the money came out of Thompson’s PayPal account.
"I went into my eBay account and discovered these three purchases which I hadn't purchased,” Thompson recalled. “So I got a hold of eBay. I actually did speak to somebody in their fraud department and told them what had happened. They looked at the account and said that my eBay account had been hacked through my email.”
So I dug a little deeper and discovered the hacker was also the seller with the handle jeanga_2174 He had posted dozens of kitchen appliances on eBay. But the listing and reviews were all fake. He created the fake listing so he could use Thompson’s eBay account to buy products from his fake account and pay himself with Thompson’s PayPal account which was linked to her checking account.
"So I called the bank the next morning because yes, all three of those did come out of my bank account,” Thompson said.
The bank immediately acknowledged the fraud and refunded her money, but Thompson wanted to know how it happened and who did it, so she emailed me.
I then emailed eBay sending eBay press representatives images of the fraudulent eBay account. A spokesperson confirmed that eBay kicked jeanga-2174 out of the marketplace.
An eBay spokesman wrote, "Unfortunately, it appears this customer was a victim of a phishing scam that did not originate on eBay."
That's because the thief accessed Thompson’s eBay account through her email. But I wanted to know if this thief or others like him were still at it. So I searched for one of the products on the thief's fake eBay account using the exact name of the product. "5-quart blue ceramic lace mermaid bowl.” Bingo!
I found four likely fraudulent accounts. All were new accounts listing exactly the same kitchen products for exactly the same price, and all the handles were similar to the first scammer with the handle jeanga-2174. For example two of the handles were. Jennbal_8418.. katflet_8363.
So I wrote eBay again and a spokesman told me, “Thank you for flagging these findings; our teams have investigated and took appropriate action.”
While the spokesman wouldn't confirm it quote "due to privacy obligations" a search of eBay clearly indicated they had kicked these four listings off the marketplace as well.
But the very next day, I found a listing with the handle, japas-6956. It was a new seller listing the same products with the same prices, and the seller had a similar handle. It appears the same thief or thieves simply create new fake listings when one is taken down.
So again I wrote eBay and asked, “Is eBay essentially playing a game of whack-a-mole? Does eBay have security tools to catch "fake sellers?"
eBay refused to answer those questions but insists fraud is rare in the eBay community. But IT security experts tell me scams while shopping online are not unique to eBay. It’s far safer to use a credit card when shopping online, and you should tie your PayPal account to a credit card rather than a debit card because if you’re a victim of fraud while using your credit card, you have protections guaranteed by federal law. And often thieves access your accounts through your email. Because security experts have found billions of unique emails and passwords on the dark web, it's safe to assume your email has likely been compromised.
All these emails and passwords were not from one breach. Instead, hackers had compiled them from dozens of breaches. And because so many folks use the same password over and over again, thieves are using your email password to see if they can get access to your other accounts, like your banking app or your Paypal account.
So here's what you can do. Go to the website HaveIbeenpwned.com. The word pwned, (pronounced poned) is taken from video game culture. It means to control or conquer someone. In internet speak, it means have I been breached.
So I put my husband's email into the search engine. I already knew that it had been compromised, but according to the site, it's been breached nine times and has been pasted once. That means it's been shared on a public website where hackers can easily share information.
But my husband frequently changes his passwords. So I wanted to see his password had been compromised as well. I went to the website, Pwnedpasswords.com tells me it has not.
So now you can clearly see why we all need to change our passwords. And make sure you create unique passwords for each of your accounts. Here's how you can do that easily. Go to 1password.com. It will generate unique passwords and store them for you.
As for eBay, a spokesman wrote me with the following advice:
Here are some key resources & tips:
Copyright 2021 - WHEC-TV, LLC A Hubbard Broadcasting Company