eCommerce websites allow consumers to choose necessary items quickly and conveniently, without leaving their homes. The events of 2020 have created a buzz around online services and increased their traffic by several times. At the same time, such blessings of civilization carry risks caused by the increased activity of scammers. How not to get on the hook when striking deals online? Let’s have a closer look at the most common fraudulent schemes from the perspective of cyber security and learn how to uncover the phishers’ tricks.
The rise of eCommerce
The popularity of online ad services is a noticeable consequence of self-isolation. This tendency is observed by experts from various markets. According to Forbes, the volume of online purchases made during the lockdown period has increased sixfold. It’s not surprising – people often don’t have the possibility to go to supermarkets and shopping centers, so they are looking for alternatives.
Still, the need for shopping didn’t disappear – it, on the contrary, has become stronger. According to Data Insight, those consumers who have reduced their number of trips to the store, have – within three months – started purchasing three times more goods on the Internet than before. The shoppers who had never used online marketplaces and services with ads before or did it occasionally have joined them. The agency reports that during the first few months of the lockdown, more than 10 million users from Russia experienced online shopping for the first time.
Along with that, attempts to deceive buyers have become frequent. According to the professionals from the Kaspersky lab, the wave of Internet scamming, which began to rise in the spring of 2020, has increased six to seven times within a few months. Experts cite the example of CDEK, a Russian courier company: in April 2020, 36 fraudulent websites imitating this service were recorded, and by July, there were 215 such sites.
Phishing in a few words
Scammers use so-called phishing schemes in their work. Phishing is the use of certain technologies that allow malefactors to get hold of users’ bank cards, online banking data, phone numbers, and other personal information. Sometimes phishing schemes are accomplished under the guise of email campaigns with links to web pages. When users follow these links and enter their data, they give the fraudsters access to their bank cards.
Phishing attacks are becoming more elaborate and sophisticated. Sometimes scammers use psychological methods and try to intimidate you. In other cases, phishers cite the need to check or improve the site’s security as the reason why a buyer should allegedly disclose their personal data.
Fraud schemes on ad platforms
According to the Russian news portal RBK, scammers receive up to a million rubles every day by using phishing schemes on the major ad platforms for the sale of goods and services.
The deception scheme is implemented through special sites. Malefactors place ads for the sale of goods at a reduced price. When a buyer responds, the “seller” replies that the item is in another city and offers to arrange delivery. After that, the scammer sends the user a link that leads to a phishing site. Visually it is absolutely similar to a legal resource for payment. The buyer pays for the goods, the fraudsters get the money and remove the ad. Obviously, the deceived customer will receive neither the product nor a refund.
Sometimes scammers use schemes that seem transparent at first glance. For example, a phisher places an item on the platform. When an interested user responds, the malefactor recommends making a secure transaction with a discount. Next, the fraudster offers to continue communication via a messenger app, for example, in WhatsApp. When performing a secure transaction, the buyer enters their card number in the platform application and confirms the transaction through 3D Secure of the bank. At this point, the malefactor abandons the secure transaction on the ad platform.
The ‘buy’ button disappears from the ad, and the money returns to the victim’s card. The seller quickly sends a message to the victim, assures that it does happen sometimes, and immediately sends a phishing link. The design of the page interface exactly matches the platform, only the name is different, which the user usually doesn’t notice (for example, youla.be instead of youla.ru).
Then, by clicking on the payment button, the buyer goes to a site that can even interact with their bank’s service, taking advantage of its vulnerability. The victim enters the card details, goes to 3D Secure of the bank, and confirms the payment. Along with that, an SMS with a security code from the bank indicates the type of transaction — transfer from card to card (CARD2CARD) — which hardly anyone pays attention to.
After the entire chain of actions, the deceived user notices that there is no completed purchase in their orders on the platform. At this time, the fraudster gets in touch again, reports a failure on the portal, and sends a new phishing link, allegedly for a refund. At the first request of the buyer to return the money, the phisher blocks them in the messenger app and on the platform.
Unfortunately, the technical support specialists of the service itself sometimes take several hours to respond. Meanwhile, the fraudster makes the ad active again and manages to cheat several more platform visitors.
Online service sellers also fall prey to phishers. After the user places an ad, a “buyer” gets in touch and says that they’d like to purchase the product. They enquire about the seller’s details and send a link confirming that they have already transferred the money through the payment system of the site. The victim only needs to enter their bank details and click on the ‘receive payment’ button. In this case, the reverse transaction takes place, and the money is debited from the deceived person’s account.
There are also simpler options for fraudulent transactions – when a user receives an SMS from an unknown phone number with an offer to receive money for the sale of goods and a link to the payment system. Instead of such a notification, you may receive an email to the address specified during registration on an online platform. Quite often, these messages are made up quite professionally and visually mimic the emails from the site’s support service. They contain valid links leading to the official site, except for the last one: “Send” or “Receive”. By clicking on it, the user falls into the trap of the phishers.
Messenger app scams
Most of the popular online ad services take serious steps to reduce fraud cases. All the dealings are carried out strictly on the site itself, where specialists monitor the reliability of any actions for the sale and payment of goods. Messages containing links to external suspicious resources are blocked in user correspondence. However, scammers are coming up with new ways to profit and have started using WhatsApp, Telegram, Viber, and other instant messenger apps to send links to phishing sites.
In a chat on an online platform, a message arrives, the aim of which is to take the user to a messenger app. And here, there is one noteworthy thing: since the platform blocks words like Viber, Telegram, WhatsApp, etc., fraudsters use the changed names of messenger apps, deliberately making mistakes in them. Knowing these features, one can easily recognize the deceiver.
How to counter online scammers
How to avoid online scams and not fall into the trap? The answer is simple: forewarned is forearmed. You need to be attentive, and every time you buy a product, use only official payment tools provided by marketplaces or switch to cash. Communication between sellers and buyers should be carried out exclusively in the chat of an online platform. Also, it is recommended to avoid transactions where prepayment is required.
For secure transactions, you can use special escrow accounts. Money is not withdrawn from such an account until the parties fulfill all the agreed conditions. For example, when selling through Avito, payment to the seller is made from the account only after the buyer confirms receipt of the goods.
What should sellers do in such situations? It is not recommended to follow suspicious links, provide your bank card data for any reason, including CVV code, pin codes, etc.
Do not indicate your real phone number on pages that are publically available. As a rule, your number is tied to existing accounts on the Internet and your bank cards. Incidentally, on services such as Avito, there is a call function: the buyer and the seller can’t see each other’s contacts, and all calls are made strictly through the site.
How can a developer or owner of an online marketplace protect their users? A possible solution is to seek professional support from companies that provide cyber security assessment services. Experts in this area will analyze the current state of the service, test the systems, and give conclusions and recommendations. Based on this information, platform owners can decide on how to strengthen their protection against malefactors.
Today, the issue of security in ad platforms is more relevant than ever. To ensure the optimal level of reliability for your online transactions or to obtain the necessary additional information, you can order cyber security consulting services. In general, you should always use common sense and remember that the approaches of cyber criminals develop together with the development of online marketplaces.