"Dear eBay account owner, give us the new credit card information," the message read.
But, says Stoll, "It turns out if you log into this, what looks like an eBay account … is a fake account."
James Read thought he was on eBay and put in his credit card number.
He says it wasn't until "I got down to the social security field when I actually figured out this is a scam" – an identity theft scam with millions of potential victims, as con artists flood the Internet with e-mails that appear to be from legitimate companies.
"A spammer may create several hundred thousand of these every single day, and maybe only five or six of them will respond," says eBay's Kevin Pursglove. "But that's five or six pieces of personal identification that they didn't have the day before."
It's a high-tech swindle called "phishing."
"Phishing – with a 'ph' not with an 'f' – is fishing for suckers," says Peter Sealey, professor of marketing at the Haas School of Business at the University of California-Berkeley.
The phishing e-mail contains a way to connect to what looks like a genuine Web site, but clicking on that link leads to a counterfeit site.
"It is an electronic counterfeit as good as the best counterfeit U.S. currency bill ever produced," Sealey says.
Counterfeit Web sites have tried to trick customers of a long list of Internet businesses, including banks and big retailers.
"Online businesses that are successful, such as eBay, are now just beginning to realize that wherever you find a successful business you're going to find fraudsters," says Pursglove.
Credit card information or account passwords go directly to the con artists who often turn out to be working from foreign countries, often in Eastern Europe.
"There are still a lot of people who have this implicit trust in something that comes across a computer," says Cliff Stoll.
The best protection? Never click on links in unsolicited e-mail: it could be bait dangled by a con artist on a phishing trip.