I’ve got a phish story for you.

Someone I know buys and sells stuff on eBay. During the course of one of his auctions, he got an email from eBay with a question from a potential buyer. This is a very normal experience for eBay sellers. The email had details about him, his item, his auction.

He clicked the “Reply to question” link in the email, and logged in to eBay. Except it wasn’t eBay.

Just as he clicked the Login button, he noticed that his address bar didn’t say eBay.com. It had an IP address. Ding, ding, ding, red alert!

He immediately logged into the real eBay site and changed his password. So there was no harm done.

He had been phished. Actually, spear-phished. He was specifically targeted. Why? He had made the mistake of putting his email address as part of the auction information. So some cybercriminal had sent him a tailor-made phishing email that looked, felt, and smelled like a real eBay email.

The reason it worked is because he expected to receive an email just like the one he was sent.

How could he have avoided this? By not clicking the link in the email. He could have, and should have, logged into eBay through eBay.com.

That is the main way to not get caught in a phishing scam. Whether it’s an email supposedly from Intuit, your bank, the government, etc., the safe way is to avoid the link in the email and go straight to the website from your address bar or your trusted browser bookmarks.

Recently there have been a lot of phishing emails going around that falsely claim to be from Intuit. You can check on Intuit security alerts at http://security.intuit.com.

Do you have a phish story? Or any other advice?