Its a common internet fraud crime and internet users are the target of Spoof email hoax scams and fake or forged web pages. Click to go to home page.

50% OFF
Black Ice

Protects against
theft of personal
identity, passwords,
credit card numbers
and more
Easy to use
personal firewall
programs from
running without
the user's

spoof email sbs

See images
of the latest
Spoof Email Hoax
reported to us

introduction to Spoof Email Hoax

What is a
Spoof Email

Why do
people send
spoof email

I've received
a Spoof Email
Hoax what
should I do?

I've fallen victim
to a Spoof Email
Hoax Scam, what
should I do?

Take steps to
a victim of a
Spoof Email
Hoax Scam

How can you
know if the
eBay seller is genuine
or a stolen

Check out an
eBay seller
before buying

spoof email sbs

email scam

email scam

EBAY spoof
email scam

PAYPAL spoof
email scam

email scam

email scam

email scam


please report your email spoofs using our dedicated
Spoof Email and Phishing Scam Form



Online Identity Theft

Spoof Email Hoax scams and Fake Web Pages or Sites

by Mat Bright
27th June 2003 (last updated 23rd February 2004)

Part Three


How do I recognise a Spoof Email?

You will hear it mentioned frequently in genuine emails from eBay or Paypal, that they "will never ask you for your user name or password in an email". In fact, eBay UK's most recent statement near the end of their emails is "eBay will not ask you for sensitive personal information (such as your password, credit card, bank account numbers, National Insurance numbers, etc.) in an email."

This means that if...
the email has any kind of form (see examples) that requires you to enter your User ID,
password, credit/debit card or banking details (and sometimes Social Security
and card PIN Numbers)

it is NOT a genuine email, it is a spoof.

This sounds like a simple enough rule, but in reality, the best spoof, forged, bogus or hoax email would not do that anyway. The problem is that any email could merely offer you a link to a web page for any reason, and the most convincing spoofs may refer you to a spoof web page where the user information is gleaned from you later instead (see an example of this). This problem is further exacerbated by the fact that users will often receive genuine eBay and Paypal emails offering links to their site for various purposes, it is therefore not the case that they will never ask you to click on a link. It would be better for us if there were never any links in eBay or Paypal emails, but many of us rely on those links to interact with their sites for various reasons. Having said that, a recent email from eBay included 38 separate links, only one of which was a link to!

Please, therefore, do not believe the email to be genuine just because it does not ask
for your private information alone.


So how can you really determine if it is a spoof?

This is made difficult by three distinct factors.....

1. the ease with which almost anyone can forge an email and almost all its header information due to a security loophole in the set up of SMPT mail servers (POP3). It is a certain fact with any email that the sender, as shown in your mail program's inbox, is absolutely no guarantee of its true origin,

2. by the way in which URLs (links) can be disguised so that the true destination is concealed,

3. the ease with which genuine web site text and graphics can be used in an email or web page just by including the relevant standard html code.


Stay informed of the latest Spoof Email Phishing Scams with either of our FREE alert services...

Email Alerts
Add your email address to our email alert service...

Privacy Policy

RSS News Feed
Tap into our Scam Alert service using your News Reader or Aggregator (including My Yahoo!).
Scam Alert News Feed

You can even put the latest alerts on your own web site.


Email Headers

You'll hear plenty around the internet about email headers and in many cases they do show that the sender is not who they say they are (see a comparison between a spoof and genuine spoof here), but it isn't a definite way of identifying a spoof email. It is possible to forge almost all of an email's header information or remove the parts that may indicate its origin.

The spoof report departments of genuine sites (eBay, Paypal, etc.) place a lot of emphasis on their need for the full email with header in a report of a spoof, but this will not necessarily tell them its true origin. They will most likely have to communicate with the ISP(s) and servers that handled the email as it travelled around the internet, and who may be able to trace its origin by viewing their detailed server logs.

This is not to say for certain that the scammers would have been clever enough to spoof the whole email header, sometimes there are clear indications that the email has not come from where it should have (as the example shows). However, the email header is the first useful indication of whether the email is genuine or not (quite simply, if it does not indicate that it has passed from eBay's servers, for example, then it is a hoax).


Links in an email and URL CLOAKING


Please note that Microsoft issued a cumulative Critical Update to address some of the issues disgussed below on the 2nd February 2004. For more information see here and to ensure that you are up to date, please run windows update and install all Critical Updates.


There are a variety of ways that can be employed to disguise the true location of any web page that a link points to. One or more of these will be used by scammers to add a sense of authenticity to any scam that they may face you with. These methods vary from the simple HTML link through to the very serious spoofing vulnerability that presently exists in most web browsers. We'll look at each of these methods and provide some solutions to checking the validity of those links or pages...


In a text only email, such a disguised link could be constructed thus.....

the link to the spoof web page is preceded with the first part of the genuine site's URL, such as '' or ''
followed by
almost any string of characters of almost any length
and then
the '@' character
followed by
the true URL of page that you will at


.....such a link would instruct your browser to open the forged page and would NOT send you to, or through, the genuine site. The following is a good example of this kind of spoof link ...>jd7788<Account

...which would actually take you to our home page (its been disabled though and will not work).

You can see, in this example, that the actual URL that you'll arrive at is written after the '@' character. This link would fool most people, especially since it starts with "" and has relevant statements like "securitycheck" and "aw-ebayconfirm" written into it. Also, because of the length of the URL, it would appear to be valid when you look at the text shown in the bottom of your browser frame (status bar) while your mouse is positioned over the link.


In an HTML email, or a web page, simple cloaking can be employed with the use of standard HTML code - the text of the link can show pretty much any thing, but the destination of the link is another issue. A good example of this kind of cloaking would be the following link ... verification

The URL of this link is exactly the same as the one above, and also sends you to our home page and is also constructed to appear to be genuine when viewing the status bar message.

The more serious form of link and URL cloaking uses the vulnerability that exists in Microsoft's Outlook, Outlook Express and Internet Explorer as well as some Mozilla browsers. This can allow a completely different URL to be shown in the status bar to the true address. In that case, you could construct a link that shows in the status bar, while the link actually opens a page at

Also, and with Internet Explorer in particular, you can arrive at a web page which shows a completely different URL in the browser address bar than the true location of that page. For instance, a fake Ebay email may use this method with a link shown as and that opens a web page with shown in the address bar, but with a forged Ebay page in the browser window which is located in completely different web space. The following URL cloaking bug check utility shows an example of this kind of disguised link or web page (if your browser IS vulnerable)...





This kind of link set up has also included one or more null characters before the '@' sign (see text about links, above) to disguise the true destination of a link and prevent it from displaying correctly in the browser address bar or status bar. This URL spoofing (or URL cloaking) is a vulnerability in some Mozilla and Internet Explorer browsers. Try URL spoofing test to see if you browser is vulnerable to this exploit and observe the result ...

URL Spoofing Test


Please note that McAfee Antivirus may report a 'trojan' on when visiting our URL Spoofing Test page - this program reports this because of the example malformed link in the URL spoofing check. We no longer recommend MacAfee Antivirus because of this problem.

If your browser is vulnerable, you may see in your browser status bar while the mouse is positioned over the link OR if you click on the link, you may will in your browser address bar, while our home page is displayed in the browser window. You can imagine the uses that this has for fraudsters and scammers. (Note, the above URL uses multiple null characters which has the effect pushing part of the full URL out of the visible part of some browser's status bar, thereby only showing In other cases, including Microsoft's Outlook, it can take only one null character).

You can also use our Spoof URL Checker to see if you are at a web page that is exploiting this vulnerability.

Please note that Microsoft issued a cumulative Critical Update to address this issue on the 2nd February 2004. For more information see here and to ensure that you are up to date, please run windows update and install all Critical Updates.



If you see a link that you want to use, first check it for spoofing with our Link Checker, which is a utility which will tell you if any of these null or special characters exist in the link. Otherwise, it is really best that we NEVER click on a link contained in an email just to be sure - almost every site places links to thier pages within their emails and this is gives rise to the potential to fall victim. If there really is any genuine request from any of those sites to communicate information with them, you should enter the site manually (by entering the relevant URL directly into your browser address bar) and then log in and interact with the site by that approach alone. That really is the safest way of doing it, and any urgent request for information should be presented to you once logged in.


Graphics and text

It is very easy to construct a web page or HTML email using genuine graphics and text with fairly basic knowledge in web page design. These files are freely available from their own servers and can be linked to from within the spoof's code by fraudsters. Spoofed emails and web pages can therefore look extremely convincing (see an example of this).


In Conclusion

Despite eBay's and Paypal's half hearted attempts to reassure us with their policy on requests for information by email, it does not mean that any other email is genuine and it does not really make it more certain that we will not fall prey to the fraudsters. Fraudsters evolve and work will work with the loop holes that they come across. Instead take this more responsible approach...

First, look for spelling and gramatical errors (some main text in spoofs is written by non-english speaking persons, errors are common).

Second, if the email has a form to complete for any information (including your user name and password, bank details, credit card details, etc, etc.) then it is NOT from the genuine site. None of the genuine sites would do this.

Third, if we find that it requests us to confirm any login information (such as user name, password and any financial information like credit card details), it is most likely not a genuine email. If any site needs you to confirm details, simply type the known URL for that site into your browser, login and interact in that way alone, if there is any genuine need to verify any information, you will be asked to do so by some message when you log into the site.

Fourth, if the email advertises a competition, or tells you that you've been selected for some prize or accolade, don't believe it, and do NOT interact with anything within the email. You can confirm any of that by going to their genuine web site and logging in as described above. Perhaps the simplest way to protect us from the current form of spoof emails is for eBay and Paypal to just stop including any links at all in their own emails.

Fifth, change your notification preferences on sites like eBay and Paypal in order to reduce the amount of email that you receive from them. Keep it to essential information only.

Sixth, check the email header and look for anomolies as previously discussed.

If you are still uncertain and suspect that you have received a spoof, contact the support department of the appropriate site (in the case of eBay and Paypal, you forward the email to their spoof departments - or You should copy and paste the full email with header into your query as well (but do not copy and paste for eBay or Paypal, instead you should use the 'forward' function of your mail program and send it without any comment added).

Next, we will look at how spoof emails work to commit fraud...

click to go to previous click to go to part oneclick to go to next

Its a common internet fraud crime and internet users are the target of Spoof email hoax scams and fake or forged web pages.
© Copyright 2003-2005 Oxford Information Services Ltd All Rights Reserved
All other logos and trademarks in this site are property of their respective owner