The “second chance” eBay scam has been around for quite a while, and it’s certainly not confined to a single individual or group; apparently lots of people with sufficient computer savvy and a lack of scruples have employed the same tactics. In 2004 the Register ran an article by John Leyden warning eBay users to beware of ‘second chance’ offers that looked legitimate but weren’t; they were bogus offers from scammers, and some were caught and some were not.
Leyden wrote that this particular scam is more sophisticated that the usual phishing fraud, in that it relies on information about the user’s bidding history. The way eBay handles auctions, if the winning bidder doesn’t pony up, the one with the second highest bid may be offered the item for the amount he bid. The scammers make the same offer, but not through eBay, though their e-mails are convincing enough for anyone who is not on guard.
The second chance scammers are still at it, but at least by now there are plenty of warnings out there offering tips on how to avoid being a victim. The targets are usually those bidding on high-cost items upwards of ten thousand pounds, but not necessarily; everyone who loses a bid should be alert for these phony offers.
Security experts from eBay and from outside companies such as McAfee say it’s unlikely that hackers are able to get into eBay’s network. Apparently, the scammers set themselves up as legitimate sellers, allowing them to access buyers’ IDs, which they can match to names and e-mail addresses. They send second chance offers on eBay letterhead, and since they also know the amount of the victim’s bid, the offer looks quite above-board.
Suggestions from bidamount.com to eBay auction participants include the note that eBay never sends messages with zip files, attachments or spread sheets – if you get one with any of those, it’s fake. Also eBay does not have a Protection Plan that includes holding payments for any reason. Almost all transactions are handled through Paypal; if you are requested to sent money directly to an unfamiliar account, large red flags should go up.