How scammers use fact and fiction to rip off used buyers

Imagine you are looking for a luxury food processor that is currently popular and coveted. You can find an offer on a classifieds portal where everything looks trustworthy from the price to the description. A subsequent phone call, in combination with supposed evidence such as ID copies and websites, creates enough trust that you finally fall into the trap – and lose a lot of money without ever seeing the goods.

An informally organized group of victims of this relatively new scam has contacted c’t. Based on their experiences, we show the tricks with which the professionally organized perpetrators manipulate even attentive people (“social engineering”) – until they make expensive mistakes under the influence of latent time pressure and subtle emotions. To put it bluntly: none of the victims acted “stupidly”. Everyone fell into traps that weren’t obvious at first glance. We also give tips on how to let the perpetrators run into nowhere.

Serious offers

Klaus G. was looking for a premium kitchen machine on eBay classifieds that the manufacturer could no longer deliver. An advertisement placed by Lara K. on the same day promised a new device that was still in its original packaging. The price sounded realistic: negotiable 1150 euros, a small saving compared to the recommended retail price, not a dubious crack price.

A photo showed the tied box. The description said that the device had been ordered for a holiday home, but that a different model had been chosen for reasons of taste. Interested parties could pick up the food processor, invoice and guarantee would be available. Klaus A. then expressed his interest via the chat function. To shorten the process, he sent his cell phone number. Reputable offers can hardly be distinguished from fakes.

A little later he received a WhatsApp voice call, the app displayed a German cell phone number. A friendly woman introduced herself in the best High German as “Nina P.” before. She is a friend of Lara K. who posted the ad on her behalf – she herself is not familiar with eBay classifieds. She repeated that it was purely a question of taste and that the machine had been around for a long time.

After a short period of reflection, Klaus G. called back via WhatsApp to accept the offer. They finally agreed on 950 euros. Incidentally, the alleged Nina P. dropped that she had been the mother of a small daughter for three months (a baby’s voice croaked in the background) and that she earned her money with holiday apartments. If Klaus G. wanted to, he could take a look at their homepage; she said the address right away.

generates trust

At the same time, Klaus G. checked the homepage – it had a .de domain and, according to the imprint, the holiday home rental also seemed to exist. In addition to the name of the caller, it also contained an address and an e-mail address, a sales tax ID and the cell phone number just used. It also referred to a supposed parent company, including the address and a Gerd Z. as its owner. An Instagram account with 1800 followers completed the portfolio. The caller’s WhatsApp profile also seemed to confirm what was said: under a baby photo were the phone number and initials. Klaus G. was certain that he was dealing with a reputable seller.

The payment method remained. In the absence of a user account, payment via “Pay safely” on eBay classifieds is not possible, the caller said, and unfortunately her company does not have a PayPal account. The money must go to her company “for tax reasons”. Klaus G. then gave her his credit card details, but according to the caller the transfer failed because of “3D-Secure”. Now she suggested a transfer, as evidenced by the IBAN, to an institute in Ireland – allegedly because her company also rents holiday homes abroad.

abused trust

After Ms. P. also sent him the “original invoice” as an image file, Klaus P. transferred the money. A little later he got a queasy feeling – initially because of his credit card, which he then had blocked. When asked in the WhatsApp chat, the alleged Nina P. confirmed the next day that the money had been received and that she would get the device on its way. Her messages became sparse, two days later she texted him that she was in the hospital and would be in touch later. She did not answer any further questions.

Now Klaus G. tried it with Gerd Z., who according to the imprint should be the owner of the parent company. In fact, this holiday home was rented out, but the perpetrators had demonstrably copied data from his real website onto a fake one. There is also no subsidiary. However, Gerd Z. explained that Klaus G. was not the first person to ask him this question; he is already in contact with the real Nina P., but she has nothing to do with the matter. G. then filed a complaint with the police and contacted “Modulr”, the Irish neobank where, according to the IBAN, the account was held. The bank assured him that it was investigating and that “measures against the account” had already been taken. He should also contact his bank so that the legal departments could enter into an exchange; in vain, as it soon turned out.

Klaus G. also reported Lara K.’s account to eBay classifieds. Customer service replied that the user account “of the provider you were in contact with” had been restricted. It is assumed that it was “abused by third parties”, while the “actual account holder” did not place the ad and was not behind the messages.

Not an isolated case

Klaus G. researched further. He finally reached the real Nina P via the address given in the imprint. She was also one of the victims: the same group of perpetrators had responded to a request for an expensive smartphone. In the end, the real Nina P. did not agree to the transfer, but she sent the perpetrators photos of her ID when asked. Now the perpetrators misused their identities in order to tell the victims a false story and cover their tracks. The family had therefore already filed a complaint.

The c’t known damage alone amounts to between 15,000 and 20,000 euros. About half of this is high-priced DJ equipment. Only a few victims were lucky and got their money back. The fake website, which according to the name server information was hosted by the website service provider Jimdo, is now offline. Gerd Z. had hired a lawyer because of the unauthorized use of his data. When asked by c’t, Jimdo confirmed that it had hosted the website and had shut it down “at the request of an investigating authority”; Further information is not possible for data protection reasons.

Bait and wrong numbers

The starting point in this and all other cases are user accounts on eBay classifieds, which the perpetrators either hijacked or opened under a false identity. The perpetrators usually offer higher-priced goods that are difficult to obtain, which create subtle pressure to buy on the part of interested parties. The prices are within a realistic range. For illustration, scammers use photos copied elsewhere. The descriptive texts including the “background story” are fictitious and are intended to build trust.

Our advice: Always remember that fraudulent accounts on classifieds sites are ubiquitous. We were not surprised by the description given by an affected person who checked other offers for the camera they were looking for after the flop (“nine out of ten were fake”). Therefore, be particularly careful with higher-quality and possibly particularly sought-after products – in the cases we know of, it was not just about expensive kitchen appliances, but also about cameras, high-end graphics cards, smartphones, Playstations and DJ equipment.

In the second step, the perpetrators ask for a mobile phone number in order to lure interested parties off the portal. This undermines the protective mechanisms that, for example, eBay offers classified ads with “secure payment”. In the current case, the fraudsters called the interested parties via WhatsApp and also used the WhatsApp chat (unlike the otherwise common call ID spoofing). From the scammers’ point of view, WhatsApp has the advantage that they only have to activate the app once via SMS to the phone number, then remove the SIM card from the device and log out. It is still displayed to the recipient.

Our advice: Never give out your telephone numbers. If it does happen, don’t let yourself be lured away from the portal or, when you call or send SMS or messenger messages, insist on switching back to the classifieds portal’s chat before paying at the latest. Don’t trust any displayed phone number. Some prospects averted worse when they tried to reach the number on the regular cellular network – which returned a “not answered”.

theatrical performance

In the third step, the perpetrators want to gain the trust of the interested parties and invent explanations, for example why the names of the account holder and the caller differ. So they cleverly construct characters with background stories and mix fiction and reality. Real (but stolen by third parties) are the names, personal data and possibly photos. The perpetrators copy the latter – for example the baby photo – from social media such as Facebook. The names and address data come from copies of ID cards that the scammers used as pretexts to obtain from the actual owners (see box). They think up a story and a reason for selling these people, subtly enriched with emotions and acted by people who speak German without an accent.

The perpetrators often substantiate their story with copies of invoices, which they also obtained from third parties or simply forged. At the heart of this case was the vacation rental company’s fake website, which they had populated with photos and text copied elsewhere, as well as the stolen identities. Such websites are intended to reassure interested parties and are now part of the common tools used by scammers. The perpetrators benefit from the fact that web hosts only have to check the identity of website operators under German law in suspicious cases. Scammers often also send copies of the IDs they stole – and subtly ask prospects to send ID photos in return.

Our advice: keep your distance and don’t believe anything. They want to buy something and negotiate with strangers in the anonymity of the internet; you can’t check a backstory. Be extremely suspicious if the names of the account user and caller differ. Even copies of ID cards do not prove identities, because identity abuse is ubiquitous – so never send copies of ID cards to strangers yourself. Websites are also no evidence of honorable intentions: fraudsters simply book domains (also with .de) with stolen payment data and click together wrong content in no time at all.

The money is gone

Once the perpetrators have built up trust, the last step is to tempt potential customers to make a bank transfer. First, the perpetrators invent supposedly plausible reasons why a payment method with buyer protection options such as “Pay securely” on eBay classifieds, PayPal or credit card is not possible. If interested parties disclose credit card details, the perpetrators may also misuse them for illegal purposes.

In order to make it easy for the victim to transfer money while at the same time covering their tracks, the perpetrators like to target foreign banks in the eurozone. They specifically use credit institutions with weaknesses in identity verification – mostly unsuspecting straw men opened the accounts and gave the perpetrators the access data. They came up with explanations for the foreign IBAN, such as Klaus G’s “tax reasons”. In another case, they invented a bank with a German name for the IBAN of the Irish “Prepaid Financial Services” (with the preceding IE) – which suited them The fact that this inconspicuous institution is difficult to find on the Internet.

Our advice: Never transfer money to someone else’s checking account, regardless of whether it’s a German or foreign IBAN – you have almost no chance of getting it back. It is best to pick up the goods yourself and pay in cash. When it comes to shipping, eBay Classifieds insist on “pay securely” even if escrow is expensive for buyers. Alternatively suggest PayPal; there the seller pays the fee. Only use the “Goods and Services” option and observe the rules for buyer protection. Never give credit card details to strangers.

The real Nina P. acted prudently at this point: Before the proposed transfer, she asked the perpetrator to spontaneously send a photo of the cell phone via WhatsApp, next to which she should place a spoon as proof of authenticity. When the perpetrator looked for excuses, Nina P. broke the connection.

Fallen – what now?

If you get caught, contact your bank immediately. There may still be a (remaining) chance of stopping the transfer. The next step is to report it to the police. It is true that their chance of catching the perpetrators is small; However, this cannot be completely ruled out – and only the police can track down organized gangs at all. If you have sent copies of your identity card, also file a complaint: At least the police then know in suspicious cases that your identity is likely to be misused by third parties.

Also, report the fraudulent profile to the classifieds portal. The perpetrators may have more up their sleeve, but at least this one will hopefully be blocked. You can also report a website with stolen data and copyright violations of images and texts to the hoster – the decisive factor is the name server that you can find for .de domains with DENIC’s WhoIs. When asked, Jimdo assured us that they would check the relevant reports and block fraudulent sites and user accounts. If you get stuck, you can hire a lawyer. It is also worth checking the conditions of household contents insurance. Some also pay for damage caused by cybercrime.