We’ve recently come across examples of phishing attempts in replies to classified ads on Donedeal.ie. The seller may receive an innocent looking message like “Is the item still for sale?” and if they reply they could receive a generic answer such as this example:
Hi mate, I have looked at it a few times now, and after looking around, I’m satisfied with the great condition but what’s your actual price for it. I love a bargain, so i would like to get it as soon as i can. I would be able to make payment through PayPal, i find it the easiest way to use my credit card safely and is a safe and reliable method of payment… Let me know your price for it . I hope to hear from you soon, and i will make all transportation preparations for the it to be transported to my home. If possible can you send me some recent picture of the item ?
In the case above, the seller was selling a boat, but if you read the reply, the buyer doesn’t mention the boat at all, he keeps referring to “it, “the it” or “the item”, which suggests it’s a generic reply automatically sent to a large number of sellers. Part of the purpose of the scam is usually to engage the seller to disclose their online payment account details and other personal information, which the scammers can then use for identity theft, attacking their account and other activities from which they can get financial gain.
However, there’s usually a second phase of the attack, where the scammer follows up from another email address with a phishing email appearing to be from PayPal (or Craigslist, or whatever service is being used.) In some cases, the scammer will have asked for a payment invoice request. A complete example sometimes looks like this:
Dear [victim’s name: whereas initial phishing emails normally use something like ‘dear valued customer’ or the victim’s email address because they don’t have access to a real name, in this case the scammer may be able to use the victim’s real first and last name, as derived from the victim’s response to the original phishing message, in the same way that authentic PayPal messages do.]
[Service provider] confirms that [scammer’s alias] has sent you [agreed sum, often in excess of the amount for which the item was originally offered] for [the item].
The details of the item and the transaction will be included, to reassure the victim that all is correct. But there will also be a note to the effect that payment is pending for some fabricated reason (usually to do with security) and that the provider will not credit the victim’s account until the shipment reference number has been received, in order to protect the buyer from fraud on the part of the seller. The odds are that the scammer will receive and sell on the goods without paying any money whatsoever.
There may be a pointer to the real PayPal site, on the assumption that the victim will be reassured by the official look of the message and not seek verification. However, it’s at least as likely that the pointer will be to a cloned PayPal site giving misleading information. In such a case, the scammer not only gets the goods without paying, but may be able to carry out other fraudulent activities before the victim realizes that he’s been conned. To add insult to injury, the scammers may sometimes even ask for money in excess of the original agreed sum thes supposedly transfered to be sent back to them via some untraceable system like Western Union, so the victim actually ends up paying them as well…
We asked PayPal about such dodgy offers and the abuse of PayPal name for scamming activities and they replied:
You’re right – it was a phishing attempt, and we’re working on stopping the fraud. Identity thieves try to trick you into revealing your password or other personal information through phishing emails and fake websites.
Buyers and sellers through online classifieds should therefore always do a good check who they’re dealing with, how safe their methods of payment are and if they’re unsure of anything, they should always check with the service first (like in this case PayPal). They should take advantage of the fact that reputable companies like PayPal offer a means of securing transactions without giving away information that makes it easier for the scammer to pretend to be a service provider. They should take the time and trouble to find out exactly how the service protects both parties in the transaction. And in most cases, we recommend that they link their credit cards rather than their cheque or savings accounts, as they’re likely to get better protection/recompense in the event of a successful fraud.
DoneDeal.ie themselves contributed several useful tips on keeping safe, read them here: DoneDeal’s security advice for online buyers and sellers