eBay Order Phishing Scam 2022 (with eBay Phishing Email Example)

eBay Order Phishing Scam with eBay Phishing Email Example
Share the knowledge

Below is the newest eBay phishing email example, sent out and received on June 21, 2022. Don’t fall for these sorts of eBay scams! If you receive an email from eBay (or anywhere) about an order that you know you didn’t place, delete it! Now of course, the scammers know that you know that you didn’t place the order; what they are counting on is you panicking and thinking that someone else has placed an order in your name, using your credit card information. And they are counting on you clicking the link to “the order” so you can tell eBay that there must be some mistake. Of course, it’s not really eBay to which that link leads: you’ve fallen right into their trap.

This eBay phishing email example was spam sent using the Google Gmail API (which you can see in the full headers at the end of this article). The scammer even used a gmail address ([email protected]) right in the email instead of making it appear to be from eBay, and yet all they need is one person to fall for it to make it worth their while.

Here is that eBay phishing email example from today (June 21, 2022). Have your received something like this?

eBay Phishing Email Example

From: Order Confirmed
Subject: THANK YOU FOR YOUR ORDER $$798.12..!! ((Order : #980589657485))
Date: June 21, 2022 at 11:26:03 AM MDT
To: [redacted]

Get New Internet Patrol Articles by Email!


Dear Customer,

Thank you for order we’ll send a confirmation when your order shipped.
We thought you’d like to know that dispatched your item(s). Your order is on the way. if you need to return an item from this shipment or manage other orders.
Please Contact us on + 1- 888 — 910 — 5921
Yoga 7i (14”) – Slate Grey Laptop
Order Number – #980589657485
Qty 1 $798.12 USPS Priority Mail Free 3 day shipping
Subtotal (1 item) $787.12
Shipping Free
Tax $11
Order total $798.12
Payment : Confirm (XXXX A/c)

If you did not place this order please Call Us on + 1- 888 — 910 — 5921 to report this to our fraud protection team.

Here are the “hidden” full headers from this email:

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

X-Cmae-Analysis: v=2.4 cv=dZFFYVbe c=1 sm=1 tr=0 ts=62b1ff2d cx=a_idp_d p=vB55TLgicz51azUmp5oA:9 a=6W9DBQtmHVaXJADi8/5GCQ==:117 a=xmNQyj5kHv7mgRqD:21 a=JPEYwPQDsx4A:10 a=x7bEGLp0ZPQA:10 a=xW4dhLIxW0gA:10 a=EU_9ZvWX1Hy87SM4Xc4A:9 a=QEXdDO2ut3YA:10 a=QquMEgkNQtU2R3Ub:21 a=_W_S_7VecoQA:10 a=wwAePvBONnjDQaqHVNx2:22 a=jMtCP0wTyWtpmbv-YS4Q:22 a=pHzHmUro8NiASowvMSCR:22 a=n87TN5wuljxrRezIQYnT:22
X-Rspamd-Queue-Id: 25LHQ6Cu3059852
X-Spamd-Bar: /
X-Rspamd-Server: concertino
X-Received: by 2002:a17:90a:430a:b0:1ea:e7f4:9f59 with SMTP id q10-20020a17090a430a00b001eae7f49f59mr33101934pjg.75.1655832363956; Tue, 21 Jun 2022 10:26:03 -0700 (PDT)
X-Gm-Message-State: AJIora8MVbmInxv5rRbK93f8/ZycLmvFFYyw+67siu6InWpxKbmPgl4B 4vnuaHFd7amGNHyZUhyCvzMiX9ODUjCfKlpUxM1KUrUhLSdRcQ==
X-Google-Smtp-Source: AGRyM1tFJ/ejDnNgH/8PqNPFlvb5hKOeCOeT8M52CVVH04RWJ70modGkwJQB+FQPwBkjcyHnOInKDbpOLwmE5ZWpZew=
Mime-Version: 1.0
Authentication-Results: concerto.isipp.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=OLFKz6oy; spf=pass (concerto.isipp.com: domain of “[email protected]rver.net” designates as permitted sender) smtp.mailfrom=”[email protected]t”; dmarc=pass (policy=none) header.from=gmail.com
Precedence: bulk

Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:mime-version:date:message-id:subject:to; bh=3Ex7LinKHIByPgU/HLmkE6x/uSLZ9+mdMwHOLthPyyc=; b=OLFKz6oynE4buk7ohypj+9OPJ0QmsXWWBGagqzfhy+PYwLc+ptNI+DHa107h6heYy2 EgDmIqSZ5Dqe/h4LpPXJVBOxkF9YmohAWZsudn7H9noivrUfLziJU8tubeotQOyv0MdK 8aDF7mjUhdSirxVCuElNY6pOyaOGJIyvsR84AKC3lGIxjW33V6j4EpqJBqTtkQ5dW04E vzuhjjXbrPeyDXUDlfZcvF725K5kJXlvEtgD5U8JYsgOPTpAGOLJ2snLs7PM23qzoWj8 dy+CpM42/C3NQIIxhWw8oEq6XxPZC3GPs7Uon9bpSdxBWk+r6cd4m17VzlbhZJaN2k8J o0Bg==
X-Spamd-Result: default: False [0.04 / 15.00]; SUBJECT_HAS_CURRENCY(1.00)[]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip4:]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RWL_MAILSPIKE_GOOD(-0.10)[]; RCVD_NO_TLS_LAST(0.10)[]; MANY_INVISIBLE_PARTS(0.05)[1]; MX_GOOD(-0.01)[]; FORWARDED(0.00)[redacted]; FROM_HAS_DN(0.00)[]; FORGED_SENDER_FORWARDING(0.00)[]; PRECEDENCE_BULK(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[redacted]; RCVD_COUNT_FIVE(0.00)[5]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; ASN(0.00)[asn:26496, ipnet:, country:US]; FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]t]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; SUBJECT_HAS_EXCLAIM(0.00)[]; FORGED_SENDER(0.00)[[email protected],[email protected]t]; DKIM_TRACE(0.00)[gmail.com:+]; RCVD_IN_DNSWL_NONE(0.00)[,]; MIME_TRACE(0.00)[0:+,1:+,2:~]; NEURAL_HAM(-0.00)[-1.000]
X-Cmae-Envelope: MS4xfM4U4MKqFkW9ZWrSb9Q5PU/nyUN0Q6CtqSQZcshkQFI0de7XxvEC/JAAG2E/+BzSNaL6vhG8615M9s0SbH0EK5fAdwLvsyiqpeTV+jfwWr148RSwTjIf z7T65SqtUve2BlQuntefEDH3eYWppiVIn21EiqEa6IN7OtH0Ndv7SKVlwpVVRhULauLorMGu9q1wdoqcSuJJ6ew8GpfDN07KDaA=
X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:mime-version:date:message-id:subject:to; bh=3Ex7LinKHIByPgU/HLmkE6x/uSLZ9+mdMwHOLthPyyc=; b=sgEPfNcoeCh0aLd25PJfvNK3Dp0jqY9Bqcbde4LO1Gb1Z3tuC0egrUGpjG8jGZC1d5 DnVSg3DGC97qy//woeWgxl+uisjysG3Xw4etpzGgowkn/xrz+pf61CKPxXxOz9lRUgh1 DFy+2CPc+0B1n3IhZZW5hUrpfAIUSn8I+561kRa7lQwoq1BwUFKUEN2dP20rGJqXEZKR G9JRqyexIUKZZmiq/M1HMGiEvXdG7Ef1TqKCfzL65p3O5uPnT21+NA/3+tYLVNTchoi3 /Fu+DmP4W+yjQmTvDgUuPnHi+J2aOPH6SBtjkQxYgldp3XD/1eC/ozrtf+pVdQWpuPm8 G4uQ==
X-Ip-Spam: Suspect
Content-Type: multipart/alternative; boundary=”000000000000dc7d9c05e1f88365″
Delivered-To: [redacted]
Delivered-To: [redacted]
Received: from concerto.isipp.com (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by concerto.isipp.com with LMTPS id 1JaDCjb/sWKUsC4AxsXosw (envelope-from ) for [redacted]; Tue, 21 Jun 2022 17:26:14 +0000
Received: from p3plsmtp18-05-26.prod.phx3.secureserver.net (p3plsmtp18-05.prod.phx3.secureserver.net []) by concerto.isipp.com (8.15.2/8.15.2/Debian-22) with ESMTP id 25LHQ6Cu3059852 for [redacted]; Tue, 21 Jun 2022 17:26:11 GMT
Received: (qmail 23190 invoked from network); 21 Jun 2022 17:26:05 -0000
Received: (qmail 23188 invoked by uid 30297); 21 Jun 2022 17:26:05 -0000
Received: from unknown (HELO p3plibsmtp03-01.prod.phx3.secureserver.net) ([]) (envelope-sender ) by p3plsmtp18-05-26.prod.phx3.secureserver.net (qmail-1.03) with SMTP for [redacted]; 21 Jun 2022 17:26:05 -0000
Received: from mail-pj1-f46.google.com ([]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by CMGW with ESMTP id 3hdcowjQTiiMi3hddonbfx; Tue, 21 Jun 2022 10:26:05 -0700
Received: by mail-pj1-f46.google.com with SMTP id k12-20020a17090a404c00b001eaabc1fe5dso14307420pjg.1 for [redacted]; Tue, 21 Jun 2022 10:26:05 -0700 (PDT)
Received: from 218858140171 named unknown by gmailapi.google.com with HTTPREST; Tue, 21 Jun 2022 12:26:03 -0500

Share the knowledge

Leave a Reply

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.