My family’s recent near-scam experience gave me a new appreciation for how complex fraudulent schemes can be. From compromising Facebook accounts, posting fake listings, all the way to impersonating Amazon services, this mass fraud operation has a strong foothold in Facebook Marketplace world. There is one common theme reverberating through all phases of this multi-part social engineering scam: each stage used different tactics to gain the victim’s trust and overcome caution. While researching this incident, I found that we weren’t the only victims. To save you from experiencing the same headache, here’s lessons learned from that incident.
Lesson 1: “Real” doesn’t equal “trustworthy”
Marketplace is Facebook’s version of Craigslist. The premise is simple: buy and sell in your area. Idea became popular and the platform is definitely very appealing; however, the social network giant is plagued by the same problems that Craigslist has become infamous for, from shady deals to downright illegal activities.
While Craigslist is known for its anonymity, Facebook is all about people’s profiles. People tend to trust “real” people and buying something requires just that: trust. A buyer might feel safer responding to a listing posted by Kate Smith whose profile picture shows her granddaughter in a tiara. A seller might feel safer giving out their home address to John Lee who regularly posts videos of his puppy. These are real people, after all. They’re trustworthy, right? Even Marketplace’s Trust & Safety page lists checking the person’s profile as the #1 safety rule:
There is a problem with this safety rule, though. First of all, let’s not forget that criminals are “real” too. Having a friendly Facebook profile complete with family and pets doesn’t immediately make one trustworthy. Nowadays, these scams are conducted by organized crime groups acting as regular businesses. These are people who work 9-5 in an office setting and who love puppies just as much as honest people do.
More importantly, what I learned during my unfortunate near-scam experience is that even if you eliminate fake personas criminals assume online, dealing with “real” Facebook accounts doesn’t guarantee safety. Not when those can be compromised.
A compromised account could be used by criminals to post fraudulent Marketplace listings and lure potential victims into their grasp.
You think this wouldn’t happen to you?
Below is an actual exchange between a buyer who responded to a Marketplace listing and received a surprised response:
Buyer: I’m interested in the camper.
Seller: Who are you and why are you messaging me?
Buyer: I’m responding to the ad you posted about the camper
Seller: What ad? I don’t have a camper. I live in the city. LOL
Few hours later:
Seller: Hey. Yes, the camper is for sale. Email my mom at a firstname.lastname@example.org. She’s the one selling it.
What happened here? It’s as if it was a conversation with two different people. It possibly was. I believe that the first exchange was with the actual Facebook account holder – the “real” person behind the name, and the last was with the scammer. This account was compromised and the owner had no idea. Who knows how many fake listings were posted without their knowledge?
It worries me how many Facebook accounts could have been taken over like this. If those messages are deleted right after being sent, the account owner wouldn’t have a clue that anything strange is going on, that someone is using their account to scam others. This could go on for months, maybe years.
Lesson 2: Phish happens. Don’t fall for the bait.
But let’s back up for a moment. How could this happen? How can someone just take over your Facebook account without your knowledge? In order to execute their plan, the scammer needs to quietly take over a legitimate Facebook account. There are many social engineering methods criminals use to convince someone to give up access to their account.
Here’s one example phishing scheme you should be aware of:
- You get a message on Facebook, “Hey, is that you in the video? It has a million views already.”
- You click on the link and it takes you to a Facebook lookalike page prompting you to log in (it isn’t a real Facebook page).
- You think you’re still on Facebook and you put in your credentials. You willingly give up your username and password to the attacker. They can now log in to your account and be you. They can post, message and list things on Marketplace in your name.
- They also send the same phishing message to all of your friends. Some of them will fall for it just like you did. After all, they trust that a link coming from you would be safe. And so the disease spreads. The scammer has their login info, and will continue phishing their friends.
You wouldn’t even notice when this took place. Scammer doesn’t want to take your account away from you, change the password or deny you access. Instead, they want to use it unnoticed. They want you to keep posting your family updates or cute pet videos, or better yet, conduct real Marketplace transactions, because that way, you will continue confirming that your account is legitimate. Credibility of your account gives them an advantage.
What can you do to prevent falling for phishing? Be aware each time you enter your login credentials – look at the address bar in your browser to verify what site you’re logging into. And remember that passwords are like underwear – change them often. More tips at the end of this article.
Lesson 3: If it looks too good to be true, it probably is
Now, that the stage has been set, scammer needs to place the bait. This is where Marketplace comes into play.
Once the attacker has access to your account, they will post an ad in Marketplace that you have something for sale. This ad will be visible to everyone in your area. People will start messaging you, “Hi. I’m interested.” The attacker will now answer those messages with “Great. Please email my mom at email@example.com for more info. It’s her camper.” Why “email my mom” and not “email me”? Because the name on the email address will likely be different than the person whose account they hacked.
Side note: I wondered why Comcast? Who uses Comcast as their email provider? But then I realized, it’s because with popular email services like gmail it’s harder to get an email address that looks like a person’s name because those addresses are already taken. Very few use Comcast email so it makes it easier to get a first-lastname email address. The more “real” the address looks, the more believable it is. This is yet another tactic at establishing trust.
In the case of the scam my family nearly fell for, it was a camper. Great price, claimed to be in a pristine condition. Awesome value for the buck. Conversation started about purchasing it.
Can you spot the red flags in this email conversation?
Buyer: Hi Melissa. I was referred to you by Marie in regards to the camper you have for sale. Could you give us some more details as to what model it is and also how we could check it out in person?
Seller: Hello there. Thank you for contacting me about my 2013 21′ Remington/Sunny Brook Quality Travel Trailer with leveling jacks included and 31-40 gallons of water capacity, sleeps 4. The camper is in great shape & immaculate condition and I’m the original owner. It has no damage,or hidden defects. I have a clear title, under my name.The price is firm, $2,000. This camper is in great shape and everything functions as it should. We have used it a dozen times and have had no issues with it. I’m selling it because my husband died 1 month ago (he had a heart attack) and it brings me bad memories so that’s the reason I want to sell it asap. My daughter and I decided to sell the house and so we moved with my parents in Lawrence, KS trying to start a new life. I want to use Amazon’s Service for the safety of both of us so if you’re interested in purchasing the camper just email me with your full name, P.o. Box or address including the zip code and phone number, so I can notify Amazon that you are selected as my possible buyer and they will contact you to explain the entire procedure.
Buyer: Hi Melissa. Thanks for the details. Do you mean that the camper is in Kansas and we’d be using Amazon for delivery and payment?
Seller: Hi again. As I have told you in my previous email my husband died recently. I had to move out and now I am living with my parents in Lawrence, KS . At the moment they are the only ones I can rely on. The camper is at the shipping company, in Lawrence KS, sealed and ready for the shipping. The deal includes free delivery and it will arrive at your address in 2-4 days. Once you will get the camper you will have 5 days to try it out prior to making any purchase. In the case that you feel that the camper is not suitable, you can just return it, all fees being on my expense. When receiving it you will have as well all the documents, including title, bill of sale , 2 sets of keys, full service records and more. The title and the bill of sale will be notarized and signed by me. If you are interested in knowing more info about how it works, I can ask Amazon to send you an email with more information on how to purchase it. Please reply with your whole name, a delivery address including (street, city,state, zip code) and ph# and they will contact you right away. As soon as I hear that from you I will initiate the transaction through them.
Here’s what bothers me about the information this person shared:
- If I were a grief stricken widow, I wouldn’t repeatedly brag about it to strangers.
- Not being able to see an item before buying it is very concerning.
- How can the cost of shipping a camper across the country still be included in the price? They won’t be making any money at all! Who would do that?
Old tricks revisited
After researching if anyone else has seen this scam, I found that it’s been going on for a while – it started at Craigslist years ago.
Here’s consistent points for this scam and others like it you should look out for:
- The item is priced very attractively. The scammer copies a legitimate ad, uses the same description and pictures but prices it a lot lower.
- The item for sale is conveniently not in town so you can’t look at it.
- The seller is trying to make the sale fast – a spouse has died, they’re in the military about to be deployed, etc.
Lesson 4: Anyone can say they work for Amazon
In above email exchange, the scammer was trying to reassure the buyer that there was no risk in the transaction, “You will have 5 days before making any purchase […] you can just return it, all fees being on my expense.” It’s all designed to lull the victim into a false sense of security.
Using Amazon’s name also has a purpose. People have grown to be cautious, to beware of Western Union or Paypal transactions. Amazon’s popularity is used here as a cover, a name you can trust.
If the victim fell for the bait and gave contact information in the email as requested, I imagine they would get a phone call from a very nice Amazon representative who would reassure them, “We’ll set you right up. We just need your credit card number for seller’s assurance but you will NOT be charged until AFTER you confirm you received the item. We pinky-swear.”
The victim would give out the credit card information and get immediately charged $2000 (maybe more) and never receive anything. Calling the number back or emailing Melissa the Widow would produce no results. No one will answer. Contacting Amazon directly will inform the victim that no one from Amazon had ever called them. It was all fake. By now, the criminals have covered their tracks and gotten away with the victim’s money.
Don’t let this happen to you
Criminals will continue to find ways of scamming people. All we can do to protect ourselves and our loved ones is to educate each other. Knowledge goes a long way. It makes the difference between being a potential or actual victim.
So, if you must shop online with services like Facebook Marketplace, Craigslist or similar, keep these tips in mind:
- Be careful who you’re buying from. Don’t assume that a legitimate-looking account proves that a person is trustworthy or that the listing is real.
- Demand to see the product and meet the seller before paying for it.
- Beware of deals that are too good to be true.
- When in doubt, research (useful links below).
Ready for more tips?
- 10 ways to avoid phishing scams
- Scam Tracker by BBB
- What to do if you think your Facebook account was compromised
This article was previously published on LinkedIn.