onald Jay Alofs got a call last fall at home asking if he had recently bought several thousand dollars worth of electronics. Mr. Alofs had not, and he had a good reason for not being on a spending spree: he was in the hospital at the time.
Things got worse for Mr. Alofs, a coin collector and dealer who buys and sells on eBay. His inbox was soon filled with e-mail messages from irate buyers: someone had used his eBay account to sell about $780,000 worth of coins - about five times the online business Mr. Alofs had done over several years - and many of the coins offered for sale never existed.
Adding insult to injury, fees for hosting photos for the fraudulent auctions had been financed with $300 from Mr. Alofs's account with PayPal, eBay's online payment service.
The source of the trouble, he believes, was that his eBay and PayPal accounts were hijacked through what is known as phishing, a type of online fraud that collects victims' account passwords and other information, after he responded to an e-mail that appeared to come from a legitimate business.
"At first those e-mails were a joke with the misspellings and mistakes," said Mr. Alofs about the phishes he received a couple of years ago, when the practice was relatively new. "Now with the copyright statements and the logos, they look so real. I don't know how you'll ever tell them apart."
For eBay, phishers are more than just an expensive irritation. EBay is among the five companies most frequently targeted by phishers, according to David Jevans, chairman of the Anti-Phishing Working Group, an industry association that includes eBay. Like phishers who go after customers of credit card issuers, those who target eBay users sometimes try to capture credit card numbers as well as general personal information.
The company's domination of the online auction business and its heavy dependence on e-mail communication make its users particularly vulnerable to this kind of online scams.
"EBay is purely virtual," Mr. Jevans said. "They live or die by e-mail."
The proliferation of eBay and PayPal phishes means that the legitimate e-mail that powers eBay transactions are increasingly being eliminated by junk e-mail filters. At the same time, some sellers say that buyers are becoming wary because of the constant threats from phishing, which is straining eBay's relationship with customers and may be driving down auction prices.
"I don't think eBay has a good insight of what's happening on the grass-roots level to individual sellers," said Joe Cortese, the chairman of the Professional eBay Sellers Alliance.
EBay is reluctant to discuss its security measures, but the company has taken three steps recently. A few months ago, it began offering users of Windows-based computers a free toolbar that flashes a warning when a browser is pointed toward what it believes to be a fraudulent Web site. (J. Peter Selda, the chief executive of WholeSecurity, whose technology is used by eBay to detect phishing sites, estimates that only about 10 percent of eBay account holders have downloaded the toolbar.) Last month, eBay also joined an effort organized by WholeSecurity to block fraudulent Web sites.
And at the start of this year, the company introduced a Web mail service called My Messages. For now, the service is mostly a way to get around the problem of junk mail filters blocking legitimate messages from the company to its users. Those corporate e-mail messages, which are mostly promotional, are now posted on a Web page that users can view after logging in to eBay. Hani Durzy, a spokesman for the company, said the feature may evolve into a communications tool for users.
But disgruntled buyers and sellers say the relatively low-key introduction of My Messages and its limited capabilities illustrate what they argue is wrong with eBay's efforts: the company has not been explicit enough to users in its warnings.
Mr. Durzy maintains that the company is making a serious effort to alert buyers. "I know that it sounds very basic, but education is the silver bullet," he said.
There is no measurement of phishing's impact on eBay's business, partly because publicly available statistics mix it with other varieties of online fraud. Mr. Durzy said that eBay's growth last year - transactions rose 44 percent, to $34.2 billion - indicated that the crime was not significant. Similarly, Mr. Jevans argues that eBay is "one of the most advanced companies" in combating Internet fraud. "They invest really heavily in it," he said.
In some ways, eBay is a victim of its own success. Last year, nearly a quarter of all online purchases in the United States passed through its site, and the company reached 135.5 million registered users worldwide, up 43 percent from 2003.
"They're an easy target because tens of millions of people use PayPal and eBay, making your chances of sending one of these e-mails to someone who has an account pretty high," said Mr. Jevans. "If you send a billion e-mails, you only need one in 10,000 people to fall for it."
And eBay offers unique attractions for criminals, as Mr. Alofs's case shows. Many buyers will purchase expensive goods such as coins only from sellers with high ratings from previous customers through an online evaluation system. Mr. Jevans and others say that when phishers are able to take over accounts with high approval ratings, they use them to sell nonexistent or stolen goods.
Phishers do not limit themselves to sellers. Last December, Steven Horwitz, another coin collector, unsuccessfully bid on a 1932 $10 gold coin being offered by Noblespirit, a dealer based in Pittsfield, N.H., owned by Mr. Cortese. Soon after, he received an e-mail message sent by "Dimitris" at Noblespirit through an eBay system that generates preformatted e-mail between buyers and sellers. It offered Mr. Horwitz a chance to buy the coin at his bid price. He asked to purchase it through PayPal "but I was told that their PayPal had not been working for two days," Mr. Horwitz recalled.
He wired $917 by Western Union, a practice eBay warns against, to an address in New York. When no coins appeared in the mail, he contacted Noblespirit and found that no one named Dimitris worked there.
"All this was due, I think, to a lack of experience on my part," said Mr. Horwitz.
Mr. Cortese and other sellers argue that eBay has made its antiphishing materials difficult to find for fear of scaring off new business. For example, he said, the link on eBay's homepage to its security information is at the bottom and in fine print.
"EBay and PayPal are going to have to make the navigation of their sites easier," he said. He and his sellers' group have also pressed the company to stop including hyperlinks in its e-mail messages as a way of distinguishing them from fraudulent messages from phishers.
"When eBay started there was a lot of trust," Mr. Cortese said. "Unfortunately, it was a wide-open door to exploitation."
Since his own eBay identity was stolen, Mr. Alofs has changed credit card numbers five times and has filed reports to eBay, PayPal and the Federal Bureau of Investigation. He has yet to recover the fees paid to the provider that posted the phishers' online auctions or about $7,500 worth of goods that he had purchased but that the hijackers had shipped to a different address.
But the biggest loss from his account hijacking, he said, was that he no longer pursues his hobby of 30 years through eBay.
"EBay revolutionized the whole industry," Mr. Alofs said. "It made it possible for a collector to become a dealer. It seemed like a real good way of doing stuff. But I'm not using eBay anymore now."
Home Delivery of The Times from $2.90/week - Act Now!
