The last thing someone in the tech world wants to admit is how they almost got scammed on the internet. It’s frankly embarrassing. Someone who lives and works on computers all day, reading about privacy and security of software, learning how to protect against social engineering tactics.
But it still doesn’t take away from the fact that I was almost about to sell my laptop away and pay $450 to a scammer.
So like any other person, once proud of their ability to recognize and thwart digital scams, I had to figure out exactly what happened.
Since when did scammers evolve from sending Nigerian prince emails to psychologically intelligent payment scams?
I remember the good old days where scams were blatantly obvious phishing emails or “car warranty expiration” calls that even phone services could easily identify. But social media and the ever-increasing digitization of life have expanded the repertoire for social engineers.
Determining the target
Why did they choose me? I had simply made a listing on Facebook Marketplace, to try and sell my old laptop, hoping to avoid the ~10% fee for selling on eBay. But what is it about that platform that makes me and others like me, increasingly susceptible to scams? Craigslist, having been around since 1995, has its fair shares of scams. The difference is, Facebook allows you to attach an identity.
This means sellers and buyers on FB marketplace are especially enticing as well. Scammers can use the semi-public information available on your profile to develop a rapport. The more information, the better. If I was them, I would even go so far as to watch whether a particular item gets relisted with a lower price. This provides an indication of urgency. Urgency makes people stupid.
Establishing Validity
Okay, so once they found my listing, what happened? The most crucial thing is that they didn’t immediately start with talking about money. They needed me to trust them as a buyer.
- Used a profile depicting an old-married couple. Although this didn’t deter me from still checking their profile, it did slightly reduce my defense. Finding nothing suspicious on their profile, it just strengthened their ‘claim’ as to who they were.
- Asked to send more pictures of the laptop, indicating interest and presenting themselves as a cautious individual. I can’t really think about defending myself if I’m the one trying to get them to trust me.
- Using legit shipping and payment. Obviously, nothing stands out easier than an obscure delivery or payment method. They restricted shipping to FedEx/USPS, both highly trusted. The payment method, Zelle, a secure, bank to bank transfer. Although it isn’t as commonplace as Venmo or Paypal, I’ve still used it often enough for transactions. Using these services made them seem more trustworth by aligning with mainstream brands. They didn’t ask to use a mailed check, or a wire transfer via western-union.
It wasn’t just about what they said or didn’t say, it’s about how they talked. It was a very cordial transaction experience. Proper grammar, full sentences, and a kind demeanor to boot. All wrapped within the context of a social network platform that allows you to communicate without even having to share your phone number or email. Your marketplace identity is your Facebook identity.
Does this add security or make you lower your guard?
Request only the right amount of information
Nothing screams scam like a blatantly obvious request for information or unsolicited money. Their goal was simple. To pass off a transaction on Zelle as legitimate. Zelle doesn’t require bank account numbers, but just the email address. They didn’t ask for anything more. No SSN, no phone number, no address. By limiting their requests, and using behavioral norms of a regular transaction, they made themselves appear legitimate.
Don’t skimp on the email
The first thing you look for when you get an email you weren’t expecting, is the email address itself. Phishing prevention 101. Next are subtle markings in the email. Maybe the address is wonky, or the logo is inverted. Maybe the email colors don’t align well.
Why did it take me 30 minutes to figure out it was a scam? Because of how much effort they put into the details. No noticeable grammar mistakes. No mention of anomalous information or requests for money.
Here, take a look.
How I managed to escape
Nevertheless, I’m glad that their story still had some anomalies. Others unwilling or unable to do the research might have been like I was a few moments before I figured out it was a scam. Ecstatic to finally about to sell their laptop. Finished wrapping the laptop in bubblewrap and filling the box with newspaper. Getting ready to print the fedex label the next day. Jubilant at having gotten an amazing deal.
But while all that was happening, I was intermittently trying to figure out if it really was a scam.
- Seeing if I had any previous Zelle emails to compare the current email to. Turns out, not only did I not have any emails, but the email address itself, upon further thought, should have been abcdxyz@zelle.com. A reminder to pay closer attention to the domain as well.
- The scammer did the classic request for reimbursement of extra money. Right after they sent the email, I get a message saying that they accidentally sent more money than expected. And if I could send the extra back. Not a big deal once the money actually cleared to my account. But things were starting to get sketchy now.
- Reluctance to switch over to venmo, ebay, or paypal. I know those platforms have their own level of scams, but their adamant refusal to be flexible created suspicion.
- The second email. The final nail in the coffin. After I admitted to them that I was not comfortable with using Zelle, I received a follow up email, also from Zelle. This was it. This was the type of scam I was more familiar with and could easily identify. Asking for more money, making me jump through confusing hoops to do something as simple as receive money on an app I was fairly familiar with.
I can just imagine if I had been more tired, or lost in the excitement, I would probably have had a pretty upsetting and nerve-wracking few days. Instead, I was able to get away with just a late-night spent doing some research.
As technology becomes increasingly complex, with us becoming increasingly integrated with it, it’s likely that scams will also continue to get more nefarious. Take GPT-3 for example. It may have restrictions on use but the exact thing which makes it a wonderful boon, also makes it dangerous.
This isn’t just a reminder to be more careful of scams, but to be more cautious with how technology is embedded into our lives. The flash just makes it that much easier to drown out the vulnerabilities it brings.