SAN FRANCISCO, June 20 - It was a clever, if not entirely flawless ruse. Many of its potential victims saw through it immediately. Others were less skeptical and were caught in its snare.
On Wednesday, starting in the early afternoon, people around the country began receiving an e-mail message with "Fraud Alert" in the subject line. In the guise of concern about a purchase from Best Buy and possible credit card misuse, the message urged recipients to go to a "special" BestBuy.com Web site and correct the problem by entering their credit card and Social Security numbers.
E-mail posing as a fraud notice to carry out a fraud - indeed preying on a consumer's fear of being defrauded - is an illegal form of spam, the much-loathed tide of random, unsolicited messages that pours into computer inboxes every day.
"This is the electronic version of the call at night from somebody purportedly being your credit card watchdog," said Malcolm Sparrow, a professor at the John F. Kennedy School of Government at Harvard, who specializes in fraud control.
Almost immediately after the e-mail messages went out, thousands of calls from consumers started pouring in to Best Buy's headquarters just outside Minneapolis.
Best Buy acted quickly to distance itself from the deception. Within a few hours, two bogus Web sites were shut down and customer service agents were busy telling callers to disregard the e-mail messages. Those who had given out their information were told to call their banks, credit card companies and the Federal Trade Commission's Identity Theft Program.
But much of the damage had already been done. It was an electronic hit-and-run.
Law enforcement authorities are taking the case seriously. "One person being defrauded is a terrible thing in itself," said Paul McCabe, an F.B.I. special agent in Minneapolis. "But several thousand people did receive the e-mail."
In fact, perhaps as many as a million e-mails were sent out by the fraud artists within a very short time, experts said.
The United States attorney's office in Minnesota is also involved in the investigation. Mr. McCabe said law enforcement officials in other countries had become involved, since the messages were also sent outside the United States.
Dawn Bryant, a Best Buy spokeswoman, said that subpoenas were served to Internet service providers that appear to have been hosts of the fraudulent Web sites, if unwittingly and that companies that sell domain names were also subpoenaed. By this afternoon, the company had handled tens of thousands of calls, she said.
The perpetrators, said Naomi Lefkovitz, a lawyer with the F.T.C., could be charged under the 1998 Federal Identity Theft Act. But catching them will not be easy.
"Once it's launched it's quite hard for law enforcement to track down," Professor Sparrow said. "All of this stuff is done so remotely. And chances are this one is being operated from abroad."
Fraud artists posing as fraud investigators are part of a time-honored tradition.
"There's a whole species of fraud involving companies impersonating customer service organizations," said Jason Catlett, president of the Junkbusters Corporation, a consulting company. Once they have the credit card and Social Security numbers in hand, perpetrators of such schemes sell them to identity thieves.
The ability to send out mass e-mailings greatly increases the potential yield. The number of people who fell for the fraud is unclear. Given how widely the net was cast, though, it is probable the scheme trapped quite a few victims.
"Even if 99.99 percent of the people who got it were sophisticated enough to see through it, if you send out a million you'll get some victims," said David Sorkin, a professor at the John Marshall Law School in Chicago and an expert on spam and consumer protection. "Spam is so cheap to send that you don't need a high response rate."
By Wednesday afternoon, Web bulletin boards were filling up with news of the fraud. "Good to spread the word on this fake as it is quite convincing," posted one recipient who did not fall for the ploy.
"They are very brazen," another wrote. "Just be warned."
The Best Buy scheme was sophisticated, though not particularly original. America Online, eBay, Wells Fargo and Bank of America have been the unwitting participants in similar deceptions.
In one scheme around tax time last year, e-mail messages were sent in the guise of an official Internal Revenue Service communication, alerting recipients to a problem with their tax refund. "As the I.R.S. pointed out, the I.R.S. doesn't e-mail people," Ms. Lefkovitz said.
Kevin Pursglove, a spokesman for eBay, said reports of fraudulent e-mail schemes - including messages that ask for credit card information - come in every day from customers.
"It's an ongoing issue for us," Mr. Pursglove said. "We are currently working with law enforcement officials to track them down."
David Kennedy, research director for TrueSecure, a security company based in Herndon, Va., that advises corporations, has seen an upswing in e-mail frauds lately. He has even received some himself. "It has certainly surged in the last three months," he said.
Most, but by no means all, consumers are shrewd enough to be suspicious of e-mail requests for personal information. People should know, Mr. Pursglove said, that "it's easy to mimic the look of an official e-mail or Web page."
To carry off such a scheme, fraud artists collect e-mail addresses, often using an automated program, and create a master e-mail list. Electronically, they capture images from a legitimate corporate site to create another Web site with the same look.
The link to Best Buy included in the e-mail message looked legitimate enough, and the fake Web site was the very image of a Best Buy site.
But other aspects were clear giveaways. Not only were there obvious grammatical mistakes, and strange return addresses, but a telephone number accompanying a Staten Island mailing address had an area code for Seattle.
"The silly mistakes are classic," said Ms. Lefkovitz of the F.T.C. "It's another thing we try to warn people about. Look for grammatical mistakes and other sloppiness."
Professor Sparrow said schemes like this provide a perfect opportunity to educate consumers. "People should understand that an incoming e-mail is just like an incoming telephone call," he said. "If it's unsolicited you should never trust it."
The fraudulent Best Buy e-mail messages were still arriving in computers today, and will probably pop up here and there for months to come, long after the spammers have disappeared into cyberspace.
"But they'll be back," Professor Sorkin said, "with some other scam tomorrow."