An email scam masked as an order confirmation from StubHub landed in countless mailboxes Thursday.
The San Francisco-based online ticket broker, a subsidiary of eBay Inc., first learned of the scam early Thursday morning, and within a few hours was deluged with phone calls, said spokesman Glenn Lehrman.
"We don't have a sense yet of how big it is," he said.
The company has placed a warning notice on its home page advising recipients not to click on any link in the email. Lehrman said the company has been sending messages out through social media to notify customers.
The Better Business Bureau is also working with the StubHub to warn consumers.
Here's what you need to know:
The email looks like a receipt for an order for two tickets to a boxing match in Las Vegas on Nov. 12. It appears to be sent by StubHub, and the charge is an alarming $2,766.95.
Lehrman said no accounts have been charged. The email apparently went to both StubHub users and individuals who have never bought tickets from the site.
Like any phishing scam, the fake email is aiming to dupe recipients into clicking on the embedded links, in an attempt to obtain sensitive information such as credit card account numbers and passwords.
StubHub does not display credit card details on its site, but Lehrman said it is possible to order tickets from an established account using stored payment information.
Anyone who clicked through the email and entered StubHub account information should go to the company's website and change their password as soon as possible, which will make it harder for the scammers if they attempt to access accounts.
The fake StubHub email appears to have originated in Eastern Europe, Lehrman said. That's a common origination point for online scams.
Phishing is usually used to steal financial information or personal information. Individuals who believe they've fallen for such a scam should report it to the Internet Crime Complaint Center, or IC3, which is a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center. That can be done online and at the Federal Trade Commission site.
The suspect email can also be forwarded to: @uce.gov.
The StubHub scam mirrors other email frauds that purport to let recipients know they've won prizes or lotteries. Details on what to do if you've given out bank account information and more advice on avoiding such scams is available at APWG or OnGuardOnline.gov.